Tumblr security hole (the gaping kind)

80 points by oldgregg ↗ HN
My friend noticed this: If you login to your tumblr account then manually go to /admin it takes you to the systemwide tumblr admin... wow.

84 comments

[ 2.8 ms ] story [ 116 ms ] thread
If that's true, the lead developer should be fired on the spot. They use that "good" old "security by obscurity". I thought this technique was dead long ago....
/admin is obscure? :/
a little harsh maybe....developers make mistakes...probably just forgot about it while trying to get the initial release out the door.... its not like tumblr is a bank or the DoD
ok, maybe :) But forgeting to secure your admin area deserves more than a simple warning. Can you imagine if the person that discovered the vulnerability decided to delete all the user accounts?
(comment deleted)
Or try out the usernames and passwords on say BofA?
The passwords aren't stored in plaintext, they said.
Forgetting to secure the admin panel isn't a little mistake though and is easy enough to detect "Hey, I didn't have to log in to an admin account to use the admin panel thats weird".

Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.

This doesnt sound like the whole admin panel... its possible nobody has even used this panel since testing...

It is a problem, just saying that I vote the developer keeps his job cause i like tumblr

I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)
What if the lead developer is the CEO? What would you suggest then? Shut down the company?

Errare humanum est.

Yes, Errare human est. I guess natural selection will take care of companies like this. If the developer is the CEO, then the investors should be concerned.
I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.

Oh well, everyone overlooks something that seems obvious to someone else, I guess.

Elevation of privilege FTL.
Probably better to let Tumblr know first, then us.

Edit: just confirmed that it works.

Basically let's you search users by id or email then give you ability to change their email/reset password.

I just shot them a mail to let them know.

Ironically they don't obey one of the primary rules of usability for websites: have a link to contact info on the front page.

I've complained about it before. Not only is it not on the front page, for a long time it just did not exist.
(comment deleted)
Interestingly, I've looked at your comment about 10 times and just now noticed that you transposed the 'm' and 'b' in Tumblr. :)
Whoops. Well they've done studies to show common typos don't affect the meaning too much. I've updated it though -

"Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe." - http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/

Screenshot or it didn't happen ;-)
That is absolutely unbelievable.
Did you or your friend happen to report this to them before posting it here?
yeah he said he told them. I would have more sympathy if it was an obscure hole, but something this big is just disrespectful to their users.
This is a pretty critical exploit . . . you'd think they'd take the app down or at least change the admin URL while this is resolved. I shouldn't at this moment still be able to reset an arbitrary user's password by going to that URL.
...and how many people have found it and not said anything? we've all used poorly secured admins here and there, but /admin seems particularly egregious.
...and how many people have found it and not said anything?

Scary.

It was only open for an hour.
No, it was only open and public for an hour. It could have been open for months, maybe longer.
It was the result of a change today, right before it hit Hacker News (so sayeth Marco of tumblr in the #tumblrs irc channel, anyway; I believe him).
As we know, hackers regularly turn random door knobs to see which doors open. Logs i can see show more black hat attempts than white hat, so either OldGregg's friend got lucky or a few exploits might have already been made.
Cool just making sure because it is still up and you would assume something like this would be taken down immediately.
Disrespectful to their users? Tumblr is free. I don't think they owe their users absolute iron clad security.
I actually don't know what Tumblr is. Is it a twitter clone or something?
They were the first popular tumbleblogging platform. It's a really good service, this incident notwithstanding.

The perverse irony of all of this is that the incident reminded me that I've got a Tumblr account. Before today, I hadn't logged in for over a year!

it works. i just told them too.
Don't you think it's a tad unreasonable-- almost stupid-- to post something like this here? At the very least, it's immoral.

You can essentially take control of Tumblr.

What the hell is Tumblr? And what happened to vowels?
Tumblr is an awesome blogging platform that's dead simple and has some Twitteresque social features (ie following) built in.

Also has a great bookmarklet and a neat api.

And a non-existant QA department apparently?
QA departments are notorious for not being very creative. You'd need a star QA department to find the /admin hole, I think.
No, you just need functional tests. Having these kind of bugs in a spare time project is fine, but if you call yourself a startup and ask customers to trust you with data, you need to seriously consider security issues.
yea i mean it seems to be a first step obvious point.
You must be new here.
Holy crap! That's true..
I didn't know what Tumbler is and I created an account just to confirm the hack (the security hole is still there). But this got me thinking about another post at HN on how to market your site - I guess a blatant (fake?) security hole is one way to do it.
Uh yeah. You must be part of the same marketing team that advises car manufacturers to stage huge vehicle safety recalls. That'll really get the customers knocking.

Tumblr has a great but small team, just like most of us on this site. As someone who makes mistakes, I offer them empathy and sympathy.

people would notice only if the site is already known or else nobody would care, but it would probably hurt the site than do good
I can't believe, >30 min out, that this is still open
Still works. Still up. Still the dumbest thing I've ever seen.
They turned it off at 4:07 eastern
I'm very disappointed in you all, I'm sure we could have had a lot of fun in the mean time...
(comment deleted)
[4:09 pm] Problem fixed. Response time: 43 minutes.
(comment deleted)
You may want to change your passwords and your mobile email address. Both were accessible.
Is that true that the passwords were revealed? All I saw was a reset link that I didn't click on.
hang on, they're storing passwords in the clear? really?
Lesson: Man your support email 24/7.

Oh, by the way, if you can't code, have somebody look at your code.

Not anymore people. Nothing to see here, hole is fixed
Did someone at least remove Jakob Lodwick's blog while the exploit was open?