latest updates from easySERVICE™
On Monday, the blogging platform Tumblr fixed a security flaw in its app for iPhones and iPads — a vulnerability that put users’ accounts at risk by transmitting user names and passwords in plain text.
However, the IT staffer who found the flaw says Tumblr initially ignored his information and only fixed the vulnerability after a tech blog contacted Tumblr for comment two weeks later.
The company’s negligence suggests that millions of Tumblr iOS users were exposed to attacks and account hijacks for two weeks after Tumblr was alerted to the bug. (The Tumblr app for Android is not affected.)
“Yesterday, Tumblr was notified of a security vulnerability introduced in our iOS app,” a Tumblr spokeswoman told TechNewsDaily via email. “We immediately released an update that repairs the issue and are notifying affected users. We obviously take these incidents very seriously and deeply regret this error.”
When logging into Tumblr from a Mac, PC or Android device, the user’s login credentials are sent using an encrypted connection and, therefore, cannot be “sniffed” by an identity thief or hacker using commonly available software.
However, until last night, a user of the Tumblr iOS app would have his or her username and password sent in plain text, readable to anyone else on the same network.
By Monday’s end, Tumblr posted an official message that it had “just released a very important security update for [its] iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances.”
Tumblr also urged users of those apps to update passwords on Tumblr and on any other site where they used the same passwords. The posting did not acknowledge The Register or its tipper for bringing the security concern to Tumblr’s attention.
Source: Associated Press
Error: Twitter did not respond. Please wait a few minutes and refresh this page.