Tumblr mistake or security issue

There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:

Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..

define(‘MEMCACHE_HOST’, ‘10.252.0.68’); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);

Database::add(‘primary’, array(‘host’ => ‘192.168.200.142‘)); ..


Anyone can look this up via Google or on Github.

Update: Tumblr posted about this issue: http://staff.tumblr.com/post/3959106211/update-regarding-security-issue.

So what is going on Tumblr? Did they get hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of your developers made a little mistake:

i?php require_once(‘chorus/Utils.php’);

Can you see it above? Instead of starting the PHP file with a “<php”, he/she started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.

What can we learn from this?

  1. The developer uses VI/VIM.
  2. Make sure to test your code before going to production.
  3. never rely on obscurity alone for your security….

What’s your take? We’d love to hear from you. Make sure to leave a comment below, and have a great weekend!

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://aolvideos.org Pothi

    Wow, it’s great to know you found where the issue is.

  • http://loadedcommerce.com/ Salvatore F. Iozzia

    this is why mission critical sites use change control processes. no one should be editing human readable code in production. you edit your code in your development and roll it forward to production, after it passes review. Geesh.

  • Stormy Lovell

    Very easy to do in Vi(m) if you’ve forgotten you’re already in insert mode, but still, why wasn’t it tested?

  • http://www.facebook.com/emperorcezar Cezar Jenkins

    Don’t use PHP that puts your code into the doc root.

  • http://sproutable.org vahtryn

    I have muscle memory to hit esc then i before going into insert mode. I’ve done some dumb mistakes by forgetting what mode I have been in with vim.

  • Anonymous Coward

    “What can we learn from this?”

    4. Even the author of the article doesn’t know how to start a PHP scripting block.

    If I was using VIM and forgot I was in insert mode I would have typed ‘i<?php' not 'i?php'

Share This