It’s not a good day for tumbleblogging. Someone over at Hacker News just noticed that users can access an admin panel for the site by entering a simple admin URL after signing in.
Among the capabilities exposed is the ability to search for users and reset their passwords. You can also change their email addresses, view their activity logs, and change other miscellaneous settings like daily limits on post types.
According to the person who posted the exploit on Hacker News, Tumblr has already been notified of the security hole but apparently has yet to fix it. Update: They’ve just fixed it. It was a known exploit for about an hour. Update 2: Tumblr’s security notice.
hmmm, must be a ruby app…
A 40-odd minute fix from the public exposure it’s pretty impressive, but the fact it was there in the first place is pretty depressing too. I wonder how long it’s been open?
They also displayed the mobile mail in address. Which means anyone with that address could post to that persons Tumblr.
You may want to reset your passwords and mobile email address (under Goodies)
@Ewan, good call.
I also feel that Tumblr would benefit an HTTPS secure log-in too.
“hmmm, must be a ruby app…”
… because of the hole or because it was plugged so quickly?
Seriously this is not news.
Ewan,
It shouldn’t have taken 40 minutes. It shouldn’t have still been working when it went public. Taking the page down should also only take a few seconds just route /admin/* requests elsewhere until you can add security.
@Paul as a tumblr user (and recommender to other people) it certainly was to me
I’m confused. What was the exploit? If the app was written so that you had to have a valid username and password for an admin user entered in order to access the admin area, then the admin URL wouldn’t have exposed anything. Did they really goof that badly, or was some kind of malicious data entered to gain access?
If I reveal a security hole on my blog, will you guys promise to link to it on your websitez?
Thank you in advance.
@Shawn of course it shouldn’t of been working at all, and it’s not acceptable that it was there, but the 40 minutes from public outing to fix is certainly one of the quickest responses I’ve come across – compare this to the (somewhat less serious) Facebook privacy issues which have gone unfixed for months.
@Jared the issue was that there was no authentication for the admin panel so any user could go to /admin and access it.
why would you announce this before it was fixed. you are such a jerk.
#9 Jared: Basically, once you were logged in as a normal user, you could type in /admin to access the back-end admin screen. It would seem that, yes, they did goof that badly.
Finding a security hole is one thing. Publishing it before they manage to fix it is another. Re-publishing it within an hour without knowing if it has been fixed is yet another thing. Nice. Real nice.
You couldn’t of waited an hour to post this to allow Tumblr to fix it before you post?
Yes he needed to post it before it got fixed — sometimes news is unpleasant, but that doesn’t mean people shouldn’t know about it. Publicity helps spur things on, after all.
lets hope some evil person didn’t get in there and steal all those email addresses. I used a clean non spammed email for tumblr and will not be pleased if I get spam on it.
They’re definitely scrambling over in “Davidville” right now. Julia Allison’s itsmejulia.com is down and briefly there was an errant post from her account on my dashboard that was certainly a hack.
Jamie: Sure if they weren’t going to fix it fine go ahead and publish it; but, tumblr only had the information at the best 10 minutes before this post went up.
In that open window (of time) they got in, changed my pass & email settings to which my account no longer exists. http://nevver.tumblr.com/
Word is the passwords have been leaked too.
In plain text.
@Simon i’m fairly certain tumblr had this information when they wrote the app.
@Blowski
Absolutely, completely untrue.
@Bill I
You would say that wouldn’t you though. Don’t want to cause a panic.
@hisherness How are you fairly certain of that? Doesn’t get rid that they should be given the chance to fix it before exposing the possibility of ruining a majority of peoples accounts.
@Blowski If you look at the screenshots you could only reset the password not look at it.
That’s despicable.
You should have waited till they fixed the issue.
New low for M$ controlled propaganda outlet: JerkCrunch
Post on the Davidville.com :
http://blog.dav...ecurity-notice/
tumblr founded david karp responds to (and explains) the security breach on his blog here:
http://blog.dav...otice/#comments
Gee TechCrunch, you guys are awesome. Bet you’ll think it’s awesome when someone announces an open security hole in your site before it’s fixed.
What goes around comes around. I hope you get back what you deserve for this selfish post.
Are you going to start posting about celebrities on drug rehab stints or is this kind of reporting only temporary?
seriously, why would you post this as soon as you found out about it. I know this is a blog, but have some decency
why does techcrunch publish this stuff before the hole is fixed.. sending hurds of script kiddies to mess with the exploit is not cool.. and it certainly is not news.. arghh..
Posting this before Tumblr could adequately respond and deal with the issue is an insult to David and Marco, as well as every legitimate Tumblr user out there, aside from this not even being real news. You guys are no better than the people who ended up mucking around with things during the breach.
I see you have no ethical problems reporting a publicizing a security hole before it is fixed. Any decent journalist would fact check a story before running with it, so why not pause before publishing here too?
It really is accepted practice to notify people about security holes and only going public to force the company’s hand if they refuse to fix it. Doing anything other than this shows you up as a publicity hungry, ethically naive hack.
Love all the “security through obscurity” arguments against publicizing this crack. Must be a lot of aspiring CEOs who are practicing their authoritarian management techniques so they don’t ever have to account for their mistakes.
Sorry all you paper MBAs, but it helps the USERS to know that theres a problem on the site so they can figure out what they want to do. If this means not using your service/site anymore then you should think about talking to your development director or other programming managment about quality control and accepted practices. Making sure an admin is actually an admin is ultra-basic.
a week ago another website i frequently visit Killerstartups.com have a problem and you can see the whole index of the website including the admin logging and within minutes or so, everything is fixed.
Nat
http://www.workersinc.com
We all know what to do when it is discovered TechCrunch has a security hole
That’s great that they got a handle on things. It is problems like this that cause me to be wary of storing personal information on the internet.
i find it strange there are so many people mad that this mistake was published. GOOD journalism dictates that everyone be notified as soon as something happened, and a good journalist has good sources. If the report was incorrect then we look at the journalist. In this case it was not. kudos for fixing it so fast, but we have to take into account the fact that if it can be fixed faster than it is reported, we may never know our information was compromised. Luckily we could depend on tumblr to tell everyone, but not every site is so ethically well adjusted.
Just wanted to say – I post comments on here a fair bit and the Blowski doing a spot of FUD above (#22,#25) is not me. Just for the record.
Oh, BTW, I like cock and balls.
Go F#$k Yourself.
Show some class. What goes around comes around.
It’s a php app folks. For the ruby/rails hater above.
Mike, so by your logic, if Tumblr is dependable to share security breaches with their users, why did you post this? And even if you say this was a test of their dependable nature, you could have at least called them or made sure they fixed it before posting.
The users don’t need to know the absolute second of a security breach. It’s not like the users can do anything to stop someone with admin privileges, it’s true they needed to know, but you could have emailed Tumblr or contacted them and told them you were going to post at the end of the day.
Jesus. Give them some time.
Um, no, “good journalism” does not require the article to go up before Tumblr has a chance to respond. Standard journalistic practice, which is what I believe you’re really referring to, involves at least trying to get a statement from all the interested parties. Or have you never noticed the “So-and-so did not respond to our requests for comments” in newspaper articles before?
Good security reporting practices, on the other hand, pretty much DO require giving the affected party a chance to not only respond but repair before widely disseminating a breach. Cameron is absolutely correct in his response above.
This is an issue that others have noted with TechCrunch, although it’s absolutely not unique to them: a desire to be the first big-name outlet with “the scoop” means that you’re throwing standard journalistic practices out the window whenever they threaten to slow you down. You may publish clarifications and expansions throughout the day, but that’s not the same as taking the time to get it as close to right as possible to start with. (Of course, when someone corrects you, you may dismiss them entirely for sending negative energy your way. We all have our own ideas of what “editorial standards” mean.)
What kind of asshole posts a security breach on a high traffic website before contacting the site owners… disgusting.
Just because I couldn’t resist responding to your juvenile behavior, and partly because it turns me on so much, here’s a rub: Tumblr, not iTumblr.
Ah, I meant that for Arrington.
You suck for laughing at others fault.
@Watts and Cameron ;at the time of my post the breach had already been fixed. i suppose when i take a second look i have to agree with the statement we do not need to know about the breach at the moment it happens. I was responding more to the protection of free speech and press. Note that i am not a journalist either, so i do not know a lot about standard journalistic practice. Also with further insight into my own statements, i decided i was being contradictory in that i was defending tech crunch in their right to publish without regard to the rights of the readers to repost. This i think is a fantastic system where the journalist is held very much accountable not only to the public, but to each and every readers individual assessment of their journalistic integrity. good job for keeping not only tech crunch in check, but me too.