Tumblr mistake or security issue

There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:

Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..

define(‘MEMCACHE_HOST’, ‘10.252.0.68’); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);

Database::add(‘primary’, array(‘host’ => ‘192.168.200.142‘)); ..


Anyone can look this up via Google or on Github.

Update: Tumblr posted about this issue: http://staff.tumblr.com/post/3959106211/update-regarding-security-issue.

So what is going on Tumblr? Did they get hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of your developers made a little mistake:

i?php require_once(‘chorus/Utils.php’);

Can you see it above? Instead of starting the PHP file with a “<php”, he/she started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.

What can we learn from this?

  1. The developer uses VI/VIM.
  2. Make sure to test your code before going to production.
  3. never rely on obscurity alone for your security….

What’s your take? We’d love to hear from you. Make sure to leave a comment below, and have a great weekend!

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.