

Tumblr security hole (the gaping kind) - oldgregg

My friend noticed this: If you login to your tumblr account then manually go to /admin it takes you to the systemwide tumblr admin... wow.
======
dangoldin
Probably better to let Tumblr know first, then us.

Edit: just confirmed that it works.

Basically let's you search users by id or email then give you ability to
change their email/reset password.

~~~
mixmax
I just shot them a mail to let them know.

Ironically they don't obey one of the primary rules of usability for websites:
have a link to contact info on the front page.

~~~
akkartik
I've complained about it before. Not only is it not on the front page, for a
long time it just did not exist.

------
jeroen
This should not have been posted before it was fixed. We all make mistakes,
even stupid ones, and I'm sure none of us would like this happening to them. A
bit of professional courtesy would have been in order.

------
rob
Did someone at least remove Jakob Lodwick's blog while the exploit was open?

~~~
agentbleu
lol

------
gobbin
They turned it off at 4:07 eastern

~~~
agentbleu
I'm very disappointed in you all, I'm sure we could have had a lot of fun in
the mean time...

------
tlrobinson
Tumblr posted a notice. 27 accounts were accessed, 1 was modified (guess
who... Julia Allison)

<http://blog.davidville.com/2008/04/15/security-notice/>

------
pius
That is absolutely unbelievable.

------
sohail
What the hell is Tumblr? And what happened to vowels?

~~~
jraines
Tumblr is an awesome blogging platform that's dead simple and has some
Twitteresque social features (ie following) built in.

Also has a great bookmarklet and a neat api.

~~~
tbourdon
And a non-existant QA department apparently?

~~~
sohail
QA departments are notorious for not being very creative. You'd need a star QA
department to find the /admin hole, I think.

~~~
cstejerean
No, you just need functional tests. Having these kind of bugs in a spare time
project is fine, but if you call yourself a startup and ask customers to trust
you with data, you need to seriously consider security issues.

~~~
agentbleu
yea i mean it seems to be a first step obvious point.

------
dcurtis
Don't you think it's a tad unreasonable-- almost stupid-- to post something
like this here? At the very least, it's immoral.

You can essentially take control of Tumblr.

------
pius
[4:09 pm] Problem fixed. Response time: 43 minutes.

------
sanswork
Did you or your friend happen to report this to them before posting it here?

~~~
oldgregg
yeah he said he told them. I would have more sympathy if it was an obscure
hole, but something this big is just disrespectful to their users.

~~~
pius
This is a pretty critical exploit . . . you'd think they'd take the app down
or at least change the admin URL while this is resolved. I shouldn't at this
moment _still_ be able to reset an arbitrary user's password by going to that
URL.

~~~
oldgregg
...and how many people have found it and not said anything? we've all used
poorly secured admins here and there, but /admin seems particularly egregious.

~~~
pius
_...and how many people have found it and not said anything?_

Scary.

~~~
simen
It was only open for an hour.

~~~
pius
No, it was only open and _public_ for an hour. It could have been open for
months, maybe longer.

~~~
simen
It was the result of a change today, right before it hit Hacker News (so
sayeth Marco of tumblr in the #tumblrs irc channel, anyway; I believe him).

~~~
jlam
As we know, hackers regularly turn random door knobs to see which doors open.
Logs i can see show more black hat attempts than white hat, so either
OldGregg's friend got lucky or a few exploits might have already been made.

------
nandos
If that's true, the lead developer should be fired on the spot. They use that
"good" old "security by obscurity". I thought this technique was dead long
ago....

~~~
utnick
a little harsh maybe....developers make mistakes...probably just forgot about
it while trying to get the initial release out the door.... its not like
tumblr is a bank or the DoD

~~~
nandos
ok, maybe :) But forgeting to secure your admin area deserves more than a
simple warning. Can you imagine if the person that discovered the
vulnerability decided to delete all the user accounts?

~~~
tbourdon
Or try out the usernames and passwords on say BofA?

~~~
ConradHex
The passwords aren't stored in plaintext, they said.

------
andr
Lesson: Man your support email 24/7.

Oh, by the way, if you can't code, have somebody look at your code.

------
pmorici
does anyone else find it ironic that in apologizing for their SNAFU they list
the full name of the one person effected most by the incident?

"We’d also like to make a special apology to Julia Allison, whose account was
temporarily affected by our mistake."

------
lowfat
I didn't know what Tumbler is and I created an account just to confirm the
hack (the security hole is still there). But this got me thinking about
another post at HN on how to market your site - I guess a blatant (fake?)
security hole is one way to do it.

~~~
danielha
Uh yeah. You must be part of the same marketing team that advises car
manufacturers to stage huge vehicle safety recalls. That'll really get the
customers knocking.

Tumblr has a great but small team, just like most of us on this site. As
someone who makes mistakes, I offer them empathy and sympathy.

------
pius
It'll be interesting to see how this news spreads through the Twitterverse.
Break the popcorn out:
[http://www.tweetscan.com/index.php?s=tumblr&u=](http://www.tweetscan.com/index.php?s=tumblr&u=)

------
pb30
You may want to change your passwords and your mobile email address. Both were
accessible.

~~~
pius
Is that true that the passwords were revealed? All I saw was a reset link that
I didn't click on.

------
khangtoh
"Earlier this afternoon, during alterations to our administrator code, "

The thought of them just doing live deploy freaks me out.. not the best
practice.. ever.. ever .. for a major site like theirs

------
deathbyzen
I actually don't know what Tumblr is. Is it a twitter clone or something?

~~~
pius
They were the first popular tumbleblogging platform. It's a really good
service, this incident notwithstanding.

The perverse irony of all of this is that the incident reminded me that I've
got a Tumblr account. Before today, I hadn't logged in for over a year!

------
fourlittlebees
Still works. Still up. Still the dumbest thing I've ever seen.

------
ChrisRicca
I can't believe, >30 min out, that this is still open

------
ralph
The posts on this thread show how news.yc has gone down the tubes.

------
Edyedyedy
Not anymore people. Nothing to see here, hole is fixed

------
WillJohnston
And it's fixed

------
cameras
it works. i just told them too.

------
jiparker
They shut it down now...

------
klisiu
Holy crap! That's true..

------
rlm
Screenshot or it didn't happen ;-)

------
aaroneous
Whoa.

------
freax
The MIT computer lab used to forgo passwords. If you wanted to dick with the
system you could, so it removed the thrill of "breaking in". You could mess
with other people's accounts but they could mess with yours, too. Kind of like
how everyone in Texas carries guns starting in kindergarten and so everyone is
really polite.

I think it's a great lesson so I think I'll make my startup's vital
information globally accessible (admin functions, source code, even my billing
info for the ISP) and trust to my fellow human beings' goodwill.

I love you guys!!

------
henning
Chalk one up for PHP!

~~~
tlrobinson
More like a bad and/or careless programmer...

~~~
henning
More like platforms that pride themselves on always leaving security entirely
up to the programmer...

~~~
jawngee
This is the dumbest comment I've ever read on here.

~~~
yan
I agree

