Skip links

Tumblr mistake or security issue

There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:

Database::set_defaults(array( ‘user’ => ‘tumblr3’, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4’, ..

define(‘MEMCACHE_HOST’, ‘10.252.0.68’); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);

Database::add(‘primary’, array(‘host’ => ‘192.168.200.142‘)); ..


Anyone can look this up via Google or on Github.

Update: Tumblr posted about this issue: http://staff.tumblr.com/post/3959106211/update-regarding-security-issue.

So what is going on Tumblr? Did they get hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of your developers made a little mistake:

i?php require_once(‘chorus/Utils.php’);

Can you see it above? Instead of starting the PHP file with a “<php”, he/she started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.

What can we learn from this?

  1. The developer uses VI/VIM.
  2. Make sure to test your code before going to production.
  3. never rely on obscurity alone for your security….

What’s your take? We’d love to hear from you. Make sure to leave a comment below, and have a great weekend!

  • Wow, it’s great to know you found where the issue is.

  • this is why mission critical sites use change control processes. no one should be editing human readable code in production. you edit your code in your development and roll it forward to production, after it passes review. Geesh.

  • Stormy Lovell

    Very easy to do in Vi(m) if you’ve forgotten you’re already in insert mode, but still, why wasn’t it tested?

  • Don’t use PHP that puts your code into the doc root.

  • I have muscle memory to hit esc then i before going into insert mode. I’ve done some dumb mistakes by forgetting what mode I have been in with vim.

  • Anonymous Coward

    “What can we learn from this?”

    4. Even the author of the article doesn’t know how to start a PHP scripting block.

    If I was using VIM and forgot I was in insert mode I would have typed ‘i<?php' not 'i?php'