There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:
Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..
define(‘MEMCACHE_HOST’, ’10.252.0.68′); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);
Database::add(‘primary’, array(‘host’ => ’192.168.200.142‘)); ..
Anyone can look this up via Google or on Github.
Update: Tumblr posted about this issue: http://staff.tumblr.com/post/3959106211/update-regarding-security-issue.
So what is going on Tumblr? Did they get hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of your developers made a little mistake:
i?php require_once(‘chorus/Utils.php’);
Can you see it above? Instead of starting the PHP file with a “<php”, he/she started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.
What can we learn from this?
- The developer uses VI/VIM.
- Make sure to test your code before going to production.
- never rely on obscurity alone for your security….
What’s your take? We’d love to hear from you. Make sure to leave a comment below, and have a great weekend!
