Hacker News new | comments | show | ask | jobs | submit login

If that's true, the lead developer should be fired on the spot. They use that "good" old "security by obscurity". I thought this technique was dead long ago....

What if the lead developer is the CEO? What would you suggest then? Shut down the company?

Errare humanum est.

Yes, Errare human est. I guess natural selection will take care of companies like this. If the developer is the CEO, then the investors should be concerned.

To err is human, but to really foul things up, you need a computer for that.

That reminds me of Arthur C. Clarke's 1953 science fiction short story "The Nine Billion Names of God".


I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.

Oh well, everyone overlooks something that seems obvious to someone else, I guess.

Elevation of privilege FTL.

/admin is obscure? :/

a little harsh maybe....developers make mistakes...probably just forgot about it while trying to get the initial release out the door.... its not like tumblr is a bank or the DoD

Forgetting to secure the admin panel isn't a little mistake though and is easy enough to detect "Hey, I didn't have to log in to an admin account to use the admin panel thats weird".

Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.

This doesnt sound like the whole admin panel... its possible nobody has even used this panel since testing...

It is a problem, just saying that I vote the developer keeps his job cause i like tumblr

I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)

ok, maybe :) But forgeting to secure your admin area deserves more than a simple warning. Can you imagine if the person that discovered the vulnerability decided to delete all the user accounts?

Or try out the usernames and passwords on say BofA?

The passwords aren't stored in plaintext, they said.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact