MarsEdit 3.6.2: Tumblr Security Fix

July 17th, 2013

MarsEdit 3.6.2 is available now from the MarsEdit home page, and has been submitted to the Mac App Store for review by Apple.

Last night Tumblr revealed on their staff blog that the Tumblr for iOS app sends a user’s password in plain-text when authenticating for the service. They published an updated version of the app which addresses the problem by connecting to Tumblr using the secure HTTPS protocol.

MarsEdit had precisely the same flaw in the way it communicates with Tumblr, so the fix is the same as Tumblr’s: use HTTPS when communicating a user’s password to Tumblr.

Who Should Update?

If you use MarsEdit to connect to a Tumblr blog, you should update to ensure that your password is sent securely to Tumblr.

What Was The Risk?

Because MarsEdit communicated a user’s Tumblr password in plain-text across a regular HTTP connection, it was theoretically possible for the communication to be intercepted en-route and read by an untrusted person.

What Else Should I Do?

After updating to MarsEdit 3.6.2, you may want to change your Tumblr password to be absolutely sure that it has not been compromised. Starting with MarsEdit 3.6.2 your Tumblr password will never be transmitted insecurely to Tumblr’s servers.

Tumblr uses an authentication system through which clients can maintain permission to connect even after your password has been changed. To be absolutely sure that your password is secure and that no unauthorized entities have authentication tokens to your blog, I recommend visiting Tumblr’s Apps Settings Page, where you can view a list of authenticated applications and revoke access to any that you are uncertain about.

Finally, as a matter of general internet security, don’t use the same password on any two services. By using unique passwords for each of the various web services you connect to, a compromised password will only ever provide an attacker with access to a single system.

What About Other Systems?

Many popular blogging systems use authentication schemes that are less secure than they ideally would be. For example, the XMLRPC-based APIs that WordPress, Movable type, and many other systems are based upon also require clients such as MarsEdit to communicate the authentication password in plain-text to the server.

However, many of these systems also support accessing the API endpoint via HTTPS, which ameliorates the problem. If you are connecting to a WordPress.com blog, the HTTPS version of the API Endpoint URL should be set up for you automatically. If you are connecting to a self-hosted WordPress blog, you may need to ask your hosting providers about whether you can switch to an HTTPS URL for accessing the blog.

For WordPress-style systems, you can get a sense for whether MarsEdit is connecting to your blog via a secure HTTPS connection by examining the blog settings in MarsEdit:

Screenshot of MarsEdit's blog settings

Note that for Google Blogger blogs that although the API Endpoint URL is HTTP-based, the authentication is handled separately from that URL, using a mechanism that prevents transmitting the password as plain text over the internet.

Anything Else?

MarsEdit 3.6.2 is primarily a “one-fix wonder,” but it also addresses some minor memory-usage issues, and another subtle
Tumblr authentication issue. Here are all the changes for this release:

  • Improve security of Tumblr connections
  • Fix an issue where MarsEdit would fail to re-authenticate with Tumblr after revoking privileges
  • Fix some memory performance issues