Tumblr sends passwords in the clear.
I just sent this email to support@tumblr.com. I’m hoping by bringing a bit of attention to this fact the issue might get fixed a bit quicker.
Hey there,
First I want to thank you guys for making such an awesome blogging site. First web app I’ve been genuinely excited about discovering in a long time.
Secondly, I wanted to ask you if you are aware that you are sending your users’ password’s in the clear (I’m guessing so) and if you plan on fixing that? The issue is this, using a free program like Wireshark (http://www.wireshark.org/) I can ‘snoop’ packets and read http requests. Since you’re including passwords in the request unencrypted, I can easily look at the http layer of that packet and read tumblr passwords, plain as day.
Now this wouldn’t be such a big deal if I could only snoop my own packets, but that’s not the case - I can also snoop my neighbours. In fact, I can snoop anybody on the same wireless network as me. So imagine I’m at a coffee shop enjoying their free wifi with all the other laptop’d customers. I notice the person in front of me go to http://www.tumblr.com/login. I flip on Wireshark. They type in their email & password and click ‘log in’, all the while I’m capturing. I stop the capture, find their request and I now have their password. Not only is their tumblr account compromised, but since we all know people tend to use the same password for everything this could easily lead to major identify theft.
In any case, the solution is simple. Just post your login form to an https server. Here are snippets from facebook and twitter’s login pages to show you what I mean:
Facebook:
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form"><input type="hidden" name="charset_test" value="€,´,€,´,水,Д,Є" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><input type="hidden" id="non_com_login" name="non_com_login" autocomplete="off" /><table cellpadding="0" cellspacing="0"><tr><td class="login_form_label_field login_form_label_remember"><input type="checkbox" class="inputcheckbox " id="persistent" name="persistent" value="1" /><label for="persistent" id="label_persistent">Keep me logged in</label></td><td class="login_form_label_field"><a href="http://www.facebook.com/reset.php" rel="nofollow">Forgot your password?</a></td><td class="login_form_last_field login_form_label_field"></td></tr><tr><td><input type="text" class="inputtext DOMControl_placeholder" title="Email" placeholder="Email" id="email" name="email" value="Email" /></td><td><input type="password" class="inputpassword" id="pass" name="pass" value="" /
Twitter:
<form action="https://twitter.com/sessions" class="signin" method="post"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="83ded7fd9608acf581ac55f489c77cf3bc13cec7" /></div> <input id="authenticity_token" name="authenticity_token" type="hidden" value="83ded7fd9608acf581ac55f489c77cf3bc13cec7" /> <fieldset class="common-form standard-form">
<table cellspacing="0">
<tr>
<th><label for="username_or_email">Username or email</label></th>
<td><input id="username_or_email" name="session[username_or_email]" type="text" value="" /></td>
</tr>
<tr>
<th><label for="password">Password</label></th>
<td><input id="session[password]" name="session[password]" type="password" /> <small><a href="/account/resend_password">Forgot?</a></small></td>
</tr>
By contrast, you post to “/login” which means the unencrypted http://www.tumblr.com/login. Here’s the equivalent tumblr html snippet:
<form action="/login" method="post" id="account_form">
<label for="email">Email address</label>
<div style="border: 1px solid #fff; margin-bottom: 20px;"><input type="text" name="email" id="email" class="text_field" value=""/></div>
<label for="password">Password</label>
<div style="border: 1px solid #fff; margin-bottom: 30px;"><input type="password" name="password" class="text_field"/></div>
To be certain I just logged into tumblr via the browser on my iphone (same wifi but otherwise not talking to my laptop) and can confirm that I was able to snoop and very easily see the password using my laptop. So I can assure you the issue is real.
Thanks again for making such a great site and I sincerely hope you make it even better (as soon as possible) by fixing this security hole.
Best,
Paul
