Tumblr, (yeah the Tumblr that was just bought out by Yahoo for $1.1 Billion), sent out word yesterday that there was a major security issue for iPhone and iPad users and that passwords should be changed immediately.  On Tuesday, Tumblr sent out a fix for the issue, but the password change is still recommended.  The issue came to light from a reader of the Register who was doing a little security research on Apple products for the company he works for.  What he found was that when users logged on from their Apple devices, the application didn’t use a secure connection.  That means that another party that was so inclined, could easily sit on the same network and ‘sniff’ out the account names and passwords by using some pretty common software.   Through the security flaw, users’ accounts could be easily stolen because the apps were not using secure server (SSL) when logging users in, it left it wide open in plaint text.

Tumblr’s Derek Gottfrid “DerekG” posted on their site:

Important security update for iPhone/iPad users

We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

There haven’t been any widespread reports made public that anyone’s accounts have been stolen.  It’s just that this has now been discovered and changing your account password would be a good idea.  This is not an Apple problem but a Tumblr issue and it only makes sense that since it is possible that someone may have captured your password at one time or another, that you change it as soon as possible.

Soapbox time.  This is was a pretty bad lapse in security.  Plain text password transmission is a big no-no and is somewhere on page 1 of the how to build apps book.  So it looks like this was an oversight and you know how it is – when you get enough people assuming that something has been done right, you run into those “how did this happen?” scenarios.  It’s a bit embarrassing I’m sure for Tumblr and they’ve done the right thing in getting the update out and communicating the change password warning.   The reader that reported the flaw did claim he notified the flaw to Tumblr some two weeks before he came to the Register.

Big picture – We can’t stress enough that if you assume anything about security, assume that whatever you are looking at is insecure, not the other way around.  That’s what happened here in a very public way, but note that things like this happen all the time.  People are vetting, testing, scrutinizing technology every day as a hobby and as a profession.  Hats off to the anonymous tipster.