Hacker Newsnew | comments | show | ask | jobs | submit login

If that's true, the lead developer should be fired on the spot. They use that "good" old "security by obscurity". I thought this technique was dead long ago....



What if the lead developer is the CEO? What would you suggest then? Shut down the company?

Errare humanum est.

-----


Yes, Errare human est. I guess natural selection will take care of companies like this. If the developer is the CEO, then the investors should be concerned.

-----


To err is human, but to really foul things up, you need a computer for that.

-----


That reminds me of Arthur C. Clarke's 1953 science fiction short story "The Nine Billion Names of God".

http://en.wikipedia.org/wiki/The_Nine_Billion_Names_of_God

-----


I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.

Oh well, everyone overlooks something that seems obvious to someone else, I guess.

-----


Elevation of privilege FTL.

-----


/admin is obscure? :/

-----


a little harsh maybe....developers make mistakes...probably just forgot about it while trying to get the initial release out the door.... its not like tumblr is a bank or the DoD

-----


Forgetting to secure the admin panel isn't a little mistake though and is easy enough to detect "Hey, I didn't have to log in to an admin account to use the admin panel thats weird".

Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.

-----


This doesnt sound like the whole admin panel... its possible nobody has even used this panel since testing...

It is a problem, just saying that I vote the developer keeps his job cause i like tumblr

-----


I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)

-----


ok, maybe :) But forgeting to secure your admin area deserves more than a simple warning. Can you imagine if the person that discovered the vulnerability decided to delete all the user accounts?

-----


Or try out the usernames and passwords on say BofA?

-----


The passwords aren't stored in plaintext, they said.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: