

Tumblr transmits your Gmail/Hotmail/Yahoo password in the clear - kwm
http://mccammon.org/keith/2010/08/02/tumblr-sharing-your-passwords-with-the-world-since-2010/

======
tptacek
Re [2], it doesn't matter if a form's action posts to an https link. Using an
unencrypted HTML form to post to an encrypted post handler is a security anti-
pattern. Attackers will simply intercept the form render instead of the post,
alter the form, and insert themselves in the middle of the transaction. This
attack is no harder than intercepting the POST itself.

Don't _ever_ give your Google Mail password to another company. Even if they
"encrypt" it on the wire, you can never be sure they're not storing it
insecurely on the back end. Please take this from someone who spends his days
beating up other people's applications: everyone screws up something.

~~~
pasbesoin
This is yet another comment that reminds me of what in my mind is a related
problem. I encounter more and more sites, including major ones, that include
insecurely delivered (<http://>) assets into their secured pages (<https://>).
My understanding is that this is another vector to get at e.g. forms and
cookies, or basically anything on the page; by intercepting the insecure
asset, you can inject yourself into the secure parent page.

I always wonder "what's up with that"? Is it that the particular assets don't
lend themselves to injection, or an assumption that items delivered from a
server under their control can't or won't be intercepted? If the latter,
particularly once the traffic hits an unsecured wireless segment, I'd be
inclined to say all bets are off.

EDIT: Nit: HN linkified the bare protocol designations.

------
kwm
Thomas: Wholeheartedly agree. Thus, [1].

I probably should have made this very clear: While the lack of encryption is
maddening, the very worst part is that Tumblr isn't performing this data pull
properly (and Google does provide a proper and relatively safe mechanism for
doing what they're doing--it's used by Facebook, LinkedIn and anyone else with
a need, API key and good conscience).

------
icarus_drowning
While I wasn't a huge fan of the tone here ("They really don’t give a shit,
huh?"), it does seem like something that needs to be brought to everyone's
attention.

~~~
kwm
That probably wasn't the most appropriate means of expressing my opinion.
Apologies.

~~~
icarus_drowning
Hey, at least the substance is there... if this situation is as you
characterized it, I see it as a rather massive breach of trust on the part of
Tumblr. The tone might be regrettable, but that's a minor concern.

