Late last night Tumblr made a mysterious and cryptic plea to its iPhone and iPad app users, asking any persons who have ever logged in through the app to reset their passwords, because of a complete lack of password security. The message that went up last night, and into app streams of users didn't say much beyond, "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹." According to a security professional during an audit of iOS applications, Tumblr had neglected to use Secure Socket Layer to encrypt any and all iOS logins and passwords, which makes it incredibly easy to steal username-password combinations.
"It's such a huge and egregious error," Kevin O'Brien, an enterprise solutions architect for CloudLock, told the Atlantic Wire. "SSL is used to ensure that information is encrypted while it's being transmitted between, say, a computer and somewhere on the Internet," he explained. "Not having SSL enabled means that whenever their users were logging in, their passwords were transmitted in the clear." Indeed, as this image via The Register shows, both the username and password, circled in red below, went over the web's tubes in plain-text for any thief to take and see: