The Hacker News Logo
Subscribe to Newsletter

Tumblr security flaw : server IPS, API keys, passwords, etc were leaked !

Update : Tumblr security flaw, Clarification by Tumblr official staff ! : The Hacker News ~

There is a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. There are some of the stuff that got disclosed:
Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..
define(‘MEMCACHE_HOST’, ’′); define(‘MEMCACHE_VERSION_HOST’, ‘‘);
Database::add(‘primary’, array(‘host’ => ’‘)); ..
We redacted a bit to protect the innocent, but anyone can find it on Google.
So what is going on? Did they got hacked somehow? We don’t think so… By looking at the disclosed data dump, it looks like one of their developers make a little mistake:
i?php require_once(‘chorus/Utils.php’);
Can you see it above? Instead of starting the PHP file with a “<php”, he started with “i?php” and somehow it went to production…. Guess what happened? Instead of executing the PHP code, the web server would display the source code for everyone to see… Including passwords, API keys, server names and anything that was specified in there.
What can we learn from this ? One, is that the developer uses VI/VIM. Two, test your code before going to production. Three, never rely on obscutiry alone for your security

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.