

Instagram Django site admin - lest
https://instagram.com/django/

======
mikeyk
Mike from Instagram here. We've now locked it down more (the actual admin
contents were always properly protected).

We're also part of Facebook's bug bounty whitehat program
([https://www.facebook.com/whitehat/bounty/](https://www.facebook.com/whitehat/bounty/)),
if anyone comes across something in the future, we welcome responsible
disclosure and pay out bounties through the program as well.

~~~
MattBearman
Out of interest, would something as easy to find as this qualify for the bug
bounty?

~~~
davis_m
I would hope so. It shouldn't matter how "easy" something is to find. If the
bug was really that easy, the team should have never let it out onto
production.

~~~
tptacek
Off the top of my head I can't speak to Facebook's program, but Google's terms
include "substantially affects the confidentiality or integrity of user data".
A login page that shouldn't be exposed is a marginal finding and might not
qualify.

Also: obviously I don't speak for either Facebook or Google, but I strongly
recommend against brute-forcing login prompts to try to prove the point that
an exposed console is a real finding.

~~~
dylangs1030
"Report a bug that could compromise the integrity of Facebook user data,
circumvent the privacy protections of Facebook user data, or enable access to
a system within the Facebook infrastructure"

^That's Facebook's. Theoretically, an exposed login page "could...enable
access to a system within the Facebook infrastructure", but to be fair, I
doubt they had that in mind.

------
zalew
it may be a honeypot. I sometimes set up a bogus form under /admin/ which logs
attempts. adrian holovaty on the other hand, redirects /admin/ to django docs
[http://www.holovaty.com/writing/admin-easter-
egg/](http://www.holovaty.com/writing/admin-easter-egg/)

//edit: oh, now I see somebody thought of my idea too
[https://github.com/dmpayton/django-admin-
honeypot](https://github.com/dmpayton/django-admin-honeypot)

~~~
Legogris
Given that they don't seem to have any automatic tests or similar for their
APIs (check out their Google group and you'll see that stuff have been broken
for a long time for all users without attention. When stuff has been broken in
the past, Instagram people will ask "is this still a problem?", like they have
no way of checking their own APIs...), I wouldn't expect them to be that
crafty.

------
donbronson
Pinterest and Instagram are both using Django. Then again, when you are scale
like these sites, you start to build new architecture around existing stuff.
Reference: [http://highscalability.com/blog/2013/4/15/scaling-
pinterest-...](http://highscalability.com/blog/2013/4/15/scaling-pinterest-
from-0-to-10s-of-billions-of-page-views-a.html)

~~~
tomp
Makes me wonder why there aren't more jobs for Django; Ruby on Rails still
seems to be far more popular for new startups!

~~~
cwh
i believe it's because Rails is as easy as grabbing a shovel to dig a hole for
yourself.

------
pjan
And they're not alone: mixpanel Django site admin:
[https://mixpanel.com/admin/](https://mixpanel.com/admin/)

------
pacifi30
How do you mask your admin portal when you are small enough that you dont have
an intranet. Someone on hacker news pointed out to me about my admin portal
being open but I never understood how to mask it.
[http://www.truffle.io/admin/](http://www.truffle.io/admin/) Any suggestions?

~~~
StavrosK
Well, first of all, change the URL to something obscure. That'll take care of
most of the problems. Afterwards, you could set SSL certificates so only
browsers with the private keys could even access it.

~~~
pacifi30
Thank you so much. I'll change it to something obscure and for the SSL
certificate I am thinking if I can use heroku's SSL certificate.

~~~
StavrosK
That's a normal HTTPS cert, I'm talking about this:

[http://www.ibm.com/developerworks/lotus/library/ls-
SSL_clien...](http://www.ibm.com/developerworks/lotus/library/ls-
SSL_client_authentication/)

Really, though, unless you're extremely security-conscious, a hidden URL over
HTTPS with a good password is sufficient for your purposes.

Also, don't serve any pages over plain HTTP, login pages even less so.

~~~
pacifi30
Thanks, I guess I ll explore the option that you described above. Also there
is one more thing I am curious about, so heroku does gives a free SSL
certificate but that only works for their domain meaning something like
truffleapp.herokuapp.com, it doesn't work for the custom domain. Do you know
any way where I can save money on buying SSL certificate and rather use
heroku's certificate. All the certificates put atleast a 1000$ hole in the
pocket but eventually in a week or so if I can't figure out how to use heroku
SLL, I have to spend that money

~~~
tingletech
If you are just using ssl on your admin site; you could roll your own.

    
    
      openssl req -new -x509 -nodes \
            -out /nuxeo/certs/server.crt \
            -keyout /nuxeo/certs/server.key \
            -batch
    

you will get a warning about the certificate being suspect; but at least the
traffic will be encrypted

------
workhere-io
I'm not sure what the point in linking to this is. If you regard it as
security hole, alert Instagram. If you just want to let people know that
Instagram uses Django... well, that information is already on
[https://www.djangoproject.com](https://www.djangoproject.com).

~~~
aet
I guess the point is that maybe you should restrict "people from the internet"
from being able to access the login page.

~~~
workhere-io
I understand. My point was that it would be better to alert Instagram rather
than direct a lot of HN users to a page that offers no value.

~~~
aet
I agree. (Already fixed?)

------
gregorkas
Although it's been a while since I've done anything in Django, seeing this
still gives me a warm feeling.

------
the_cat_kittles
I changed the top bar color from that blue green to a red on the production
deployment of my app- helps avoid forgetting which deployment you are messing
with.

~~~
craigkerstiens
A post or code snippet that does this would be great, seems like a really
simple but useful people others may like

~~~
sevenproxies
Simple browser-side CSS does the trick. I use Stylish[1] for Chromium. I
believe there is also a Firefox version.

[1] -
[https://chrome.google.com/webstore/detail/stylish/fjnbnpbmke...](https://chrome.google.com/webstore/detail/stylish/fjnbnpbmkenffdnngjfgmeleoegfcffe)

------
dlsym
admin:admin doesn't work.

~~~
stefs
file a bug report "login is broken"

~~~
dopamean
This is the best idea in this thread.

------
spdy
Would love to see the inside. If they use special dashboards etc.

Maybe someone can give some insight.

~~~
johndavidback
It would actually be quite interesting to see how large enterprise clients
modify/utilize the Django admin... if at all.

Other than Grappelli, I've historically used the admin pretty much as-is.
Creating admin functions is one thing, but lots of custom screens is quite
another.

I also think that's one thing really lacking from the Django documentation,
really great customization of the Admin.

~~~
DirtyMonkey
Most of the Django projects I've worked on, people tended to make their own
admin panels with things like Bootstrap and Foundation. Django's core team
have made their goals clear for the next admin, extensibility and
adaptability. [https://github.com/twoscoops/django-
admin2](https://github.com/twoscoops/django-admin2)

------
lukashed
BlackJet Django admin:
[https://www.blackjet.com/admin/](https://www.blackjet.com/admin/)

------
jchung
Did you inform Instagram first before posting it to HN?

------
wrboyce
It seems to have (just) changed to a non-standard (different to the rest of
Instagram's) 404 page.

------
techaddict009
Has anyone taken the snapshot of it ? As instagram has fixed it and i have
missed a chance to see it.

~~~
danielsamuels
It just looked like the default Django login -
[http://www.djangobook.com/en/2.0/_images/login.png](http://www.djangobook.com/en/2.0/_images/login.png)

------
rajbala
They removed the link to the admin page.

