Hacker News new | comments | show | ask | jobs | submit login

This is a pretty critical exploit . . . you'd think they'd take the app down or at least change the admin URL while this is resolved. I shouldn't at this moment still be able to reset an arbitrary user's password by going to that URL.

...and how many people have found it and not said anything? we've all used poorly secured admins here and there, but /admin seems particularly egregious.

...and how many people have found it and not said anything?


It was only open for an hour.

No, it was only open and public for an hour. It could have been open for months, maybe longer.

It was the result of a change today, right before it hit Hacker News (so sayeth Marco of tumblr in the #tumblrs irc channel, anyway; I believe him).

As we know, hackers regularly turn random door knobs to see which doors open. Logs i can see show more black hat attempts than white hat, so either OldGregg's friend got lucky or a few exploits might have already been made.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact