Update : Tumblr security flaw, Clarification by Tumblr official staff ! : The Hacker News ~ http://www.thehackernews.com/2011/03/tumblr-security-flaw-clarification-by.html



There is a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. There are some of the stuff that got disclosed:
Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..
define(‘MEMCACHE_HOST’, ’10.252.0.68′); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);
Database::add(‘primary’, array(‘host’ => ’192.168.200.142‘)); ..
We redacted a bit to protect the innocent, but anyone can find it on Google.
So what is going on? Did they got hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of their developers make a little mistake:
i?php require_once(‘chorus/Utils.php’);
Can you see it above? Instead of starting the PHP file with a “<php”, he started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.
What can we learn from this ? One, is that the developer uses VI/VIM. Two, test your code before going to production. Three, never rely on obscutiry alone for your security

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.