Hacker News new | past | comments | ask | show | jobs | submit login
Tumblr security hole (the gaping kind)
80 points by oldgregg on April 15, 2008 | hide | past | favorite | 78 comments
My friend noticed this: If you login to your tumblr account then manually go to /admin it takes you to the systemwide tumblr admin... wow.

Probably better to let Tumblr know first, then us.

Edit: just confirmed that it works.

Basically let's you search users by id or email then give you ability to change their email/reset password.

I just shot them a mail to let them know.

Ironically they don't obey one of the primary rules of usability for websites: have a link to contact info on the front page.

I've complained about it before. Not only is it not on the front page, for a long time it just did not exist.

Interestingly, I've looked at your comment about 10 times and just now noticed that you transposed the 'm' and 'b' in Tumblr. :)

Whoops. Well they've done studies to show common typos don't affect the meaning too much. I've updated it though -

"Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe." - http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/


This should not have been posted before it was fixed. We all make mistakes, even stupid ones, and I'm sure none of us would like this happening to them. A bit of professional courtesy would have been in order.

Did someone at least remove Jakob Lodwick's blog while the exploit was open?


They turned it off at 4:07 eastern

I'm very disappointed in you all, I'm sure we could have had a lot of fun in the mean time...

Tumblr posted a notice. 27 accounts were accessed, 1 was modified (guess who... Julia Allison)


That is absolutely unbelievable.

What the hell is Tumblr? And what happened to vowels?

You must be new here.

Tumblr is an awesome blogging platform that's dead simple and has some Twitteresque social features (ie following) built in.

Also has a great bookmarklet and a neat api.

And a non-existant QA department apparently?

QA departments are notorious for not being very creative. You'd need a star QA department to find the /admin hole, I think.

No, you just need functional tests. Having these kind of bugs in a spare time project is fine, but if you call yourself a startup and ask customers to trust you with data, you need to seriously consider security issues.

yea i mean it seems to be a first step obvious point.

Don't you think it's a tad unreasonable-- almost stupid-- to post something like this here? At the very least, it's immoral.

You can essentially take control of Tumblr.

[4:09 pm] Problem fixed. Response time: 43 minutes.

Did you or your friend happen to report this to them before posting it here?

yeah he said he told them. I would have more sympathy if it was an obscure hole, but something this big is just disrespectful to their users.

This is a pretty critical exploit . . . you'd think they'd take the app down or at least change the admin URL while this is resolved. I shouldn't at this moment still be able to reset an arbitrary user's password by going to that URL.

...and how many people have found it and not said anything? we've all used poorly secured admins here and there, but /admin seems particularly egregious.

...and how many people have found it and not said anything?


It was only open for an hour.

No, it was only open and public for an hour. It could have been open for months, maybe longer.

It was the result of a change today, right before it hit Hacker News (so sayeth Marco of tumblr in the #tumblrs irc channel, anyway; I believe him).

As we know, hackers regularly turn random door knobs to see which doors open. Logs i can see show more black hat attempts than white hat, so either OldGregg's friend got lucky or a few exploits might have already been made.


Disrespectful to their users? Tumblr is free. I don't think they owe their users absolute iron clad security.

Cool just making sure because it is still up and you would assume something like this would be taken down immediately.

If that's true, the lead developer should be fired on the spot. They use that "good" old "security by obscurity". I thought this technique was dead long ago....

What if the lead developer is the CEO? What would you suggest then? Shut down the company?

Errare humanum est.

Yes, Errare human est. I guess natural selection will take care of companies like this. If the developer is the CEO, then the investors should be concerned.

To err is human, but to really foul things up, you need a computer for that.

That reminds me of Arthur C. Clarke's 1953 science fiction short story "The Nine Billion Names of God".


I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.

Oh well, everyone overlooks something that seems obvious to someone else, I guess.

Elevation of privilege FTL.

/admin is obscure? :/

a little harsh maybe....developers make mistakes...probably just forgot about it while trying to get the initial release out the door.... its not like tumblr is a bank or the DoD

Forgetting to secure the admin panel isn't a little mistake though and is easy enough to detect "Hey, I didn't have to log in to an admin account to use the admin panel thats weird".

Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.

This doesnt sound like the whole admin panel... its possible nobody has even used this panel since testing...

It is a problem, just saying that I vote the developer keeps his job cause i like tumblr

I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)

ok, maybe :) But forgeting to secure your admin area deserves more than a simple warning. Can you imagine if the person that discovered the vulnerability decided to delete all the user accounts?

Or try out the usernames and passwords on say BofA?

The passwords aren't stored in plaintext, they said.

I didn't know what Tumbler is and I created an account just to confirm the hack (the security hole is still there). But this got me thinking about another post at HN on how to market your site - I guess a blatant (fake?) security hole is one way to do it.

Uh yeah. You must be part of the same marketing team that advises car manufacturers to stage huge vehicle safety recalls. That'll really get the customers knocking.

Tumblr has a great but small team, just like most of us on this site. As someone who makes mistakes, I offer them empathy and sympathy.

people would notice only if the site is already known or else nobody would care, but it would probably hurt the site than do good

does anyone else find it ironic that in apologizing for their SNAFU they list the full name of the one person effected most by the incident?

"We’d also like to make a special apology to Julia Allison, whose account was temporarily affected by our mistake."

Lesson: Man your support email 24/7.

Oh, by the way, if you can't code, have somebody look at your code.

It'll be interesting to see how this news spreads through the Twitterverse. Break the popcorn out: http://www.tweetscan.com/index.php?s=tumblr&u=

You may want to change your passwords and your mobile email address. Both were accessible.

Is that true that the passwords were revealed? All I saw was a reset link that I didn't click on.

hang on, they're storing passwords in the clear? really?

I actually don't know what Tumblr is. Is it a twitter clone or something?

They were the first popular tumbleblogging platform. It's a really good service, this incident notwithstanding.

The perverse irony of all of this is that the incident reminded me that I've got a Tumblr account. Before today, I hadn't logged in for over a year!

"Earlier this afternoon, during alterations to our administrator code, "

The thought of them just doing live deploy freaks me out.. not the best practice.. ever.. ever .. for a major site like theirs

Still works. Still up. Still the dumbest thing I've ever seen.

I can't believe, >30 min out, that this is still open

The posts on this thread show how news.yc has gone down the tubes.

Not anymore people. Nothing to see here, hole is fixed

And it's fixed

it works. i just told them too.

They shut it down now...

Holy crap! That's true..


Screenshot or it didn't happen ;-)

The MIT computer lab used to forgo passwords. If you wanted to dick with the system you could, so it removed the thrill of "breaking in". You could mess with other people's accounts but they could mess with yours, too. Kind of like how everyone in Texas carries guns starting in kindergarten and so everyone is really polite.

I think it's a great lesson so I think I'll make my startup's vital information globally accessible (admin functions, source code, even my billing info for the ISP) and trust to my fellow human beings' goodwill.

I love you guys!!

Chalk one up for PHP!

More like a bad and/or careless programmer...

More like platforms that pride themselves on always leaving security entirely up to the programmer...

This is the dumbest comment I've ever read on here.

I agree

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact