Update : Tumblr security flaw, Clarification by Tumblr official staff ! : The Hacker News ~ https://www.thehackernews.com/2011/03/tumblr-security-flaw-clarification-by.html


The Hacker News

There is a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. There are some of the stuff that got disclosed:
Database::set_defaults(array( 'user' => 'tumblr3′, 'password' => 'm3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..
define('MEMCACHE_HOST', '10.252.0.68′); define('MEMCACHE_VERSION_HOST', '10.252.0.67');
Database::add('primary', array('host' => '192.168.200.142')); ..
We redacted a bit to protect the innocent, but anyone can find it on Google.
So what is going on? Did they got hacked somehow? We don't think so… By looking at the disclosed data dump, it looks like one of their developers make a little mistake:
i?php require_once('chorus/Utils.php');
Can you see it above? Instead of starting the PHP file with a "<php", he started with "i?php" and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.
What can we learn from this ? One, is that the developer uses VI/VIM. Two, test your code before going to production. Three, never rely on obscutiry alone for your security

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.