Tumblr issues 'very important' iOS app update to plug security hole

AppleInsider

Yahoo-owned Tumblr on Tuesday released a security update for its iPhone and iPad apps to resolve an issue that in some cases would allow user passwords to be compromised.



In a post to its official blog, the update fixes an unspecified bug pertaining to password security, which was discovered in iOS versions of the app on Tuesday, reports TheNextWeb.

Tumblr's statement regarding previous versions of its iOS app:

If you?ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It?s also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

Details on the reported bug are scarce, but Tumblr noted that passwords could be "'Sniffed' in transit on certain versions of the app." It is unclear which versions Tumblr is referring to, but the app was most recently updated about one week ago alongside Yahoo! Mail.

The Tumblr update comes in at 12.7MB as is available now for free from the App Store.

jdsonice

I am really sick of these freaking "cloud" based companies that do a horrible job of managing our security and data. OK, I get it, they are mostly free and you get what you pay for (but you DO pay by getting to watch crappy ads). It is however getting ridiculous.

The problem of course is pretty bad with the startups and will only get worse as more 17 year olds try and start companies.

What surprises me is that there is no consequence for these companies. The public continues to use them, helping them make money via advertising and then complaining that their privacy has been invaded.

Frankly speaking most of these companies offer no real value to the user. I fail to see the value in Tumblr other than for the exhibitionist in us.

The only way to punish these companies is to stop using their services. Let them feel the pain of loosing revenue for their poor security practices.

Thanks for listening to my soap box, I am putting on my flame retardant suit on now.

suddenly newton

jdsonice wrote: »

I am really sick of these freaking "cloud" based companies that do a horrible job of managing our security and data. OK, I get it, they are mostly free and you get what you pay for (but you DO pay by getting to watch crappy ads). It is however getting ridiculous.

The problem of course is pretty bad with the startups and will only get worse as more 17 year olds try and start companies.

What surprises me is that there is no consequence for these companies. The public continues to use them, helping them make money via advertising and then complaining that their privacy has been invaded.

Frankly speaking most of these companies offer no real value to the user. I fail to see the value in Tumblr other than for the exhibitionist in us.

The only way to punish these companies is to stop using their services. Let them feel the pain of loosing revenue for their poor security practices.

Thanks for listening to my soap box, I am putting on my flame retardant suit on now.

There's no consequence until there's a security breach, and then the consequences are very expensive.
The situation you describe is going to be normal for small startups, because economics determine what gets delivered, and security is one of those requirements that are easy to overlook, and difficult to get right. The way programming is taught (or self-learned by 17-year-olds) often omits security analysis. Security is an assumed requirement, not a "sexy" feature. Even programmers working for larger and well-funded companies don't understand security issues, and have never been trained to.
I don't see the situation changing any time soon.