Security Flaw Found in Tumblr, Company Says It’s Now Fixed

Charlie White by Charlie White View Comments
email
share

It started with a tweet Saturday morning, sounding an alarm of a security breach in the popular microblogging platform Tumblr. “OMG… The Tumbeasts are spitting out passwords!,” it warned.

That tweet spread like wildfire, notifying the world of a coding error that opened a security hole with the potential of revealing users’ passwords, server IP addresses, API keys and personal information.

Fortunately, Tumblr reacted, fixing the problem and then issuing this official message about 5 to 6 hours after the flaw was discovered:

“A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.

We’re triple checking everything and bringing in outside auditors to confirm, but we have no reason to believe that anything was compromised. We’re certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.

The fact that this occurred at all is still unacceptable, and we’ll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.

Please let us know if you have absolutely any questions.”

What caused the error? That’s still under intense discussion at The Hacker News and elsewhere in the hacker community, but many think the culprit was a errant piece of PHP code. Obviously, spelling counts.

Let us know in the comments if you think those who discovered the security flaw were more eager to broadcast its existence than notify the Tumbler coders who might have been in a position to quickly fix it.

Print Story Email Story

More Stories in Dev & Design

  1. Should Your Company Offer an API?

    Should Your Company Offer an API? View Comments

  2. Celebrating 20 Years of Linux [INFOGRAPHIC]

    Celebrating 20 Years of Linux [INFOGRAPHIC] View Comments

Top Related Stories

  1. Foursquare Checkins Get Encrypted

    Foursquare Checkins Get Encrypted View Comments

  2. New York Times Gets Its First Tumblr

    New York Times Gets Its First Tumblr View Comments

  • http://twitter.com/sexyprout sexyprout

    [...] a errant piece of PHP code that instead of starting off with “

    Hmm, ok.

  • http://twitter.com/jpp123 John P

    I think the mashable cms saw a <?php and deleted it

  • http://www.shotbeak.com shotbeak

    Quite ironic.

  • http://www.facebook.com/rohanpinto Rohan Pinto

    c’mon folks.. youre impressed that they fixed the issue and the fact that the passwords stored were not CRYPT’ed doesnt bother u at all !!!!

  • http://twitter.com/jpp123 John P

    At a guess it was a php raw script that was printed rather than executed and it had in it a database password

  • http://cincinna.wordpress.com/ CINNA

    *sips green tea latte* Boy, Mashable sure know how to sensationalize anything social media related don’t they. smh

  • http://pulse.yahoo.com/_ZTI23FO467XAG3QH2LZC7UHSEA Edward Margo

    sounds good http://www.hottestukdeals.org for more info and good deals of course!

  • http://twitter.com/Reynolds365 Gavin Reynolds

    Most probably right

  • http://www.bytehead.org/blog/ Bryan “bytehead” Price

    If you look at the source code, it’s in there.

    But yeah, instead of a < php, it was a ?php

    And I suspect that the preprocessor actually stripped it out.

  • http://compunoticias.com/2011/03/19/encontrado-fallo-de-seguridad-en-tumblr/ Encontrado fallo de seguridad en Tumblr « COMPUNOTICIAS – NOTICIAS DE INFORMÁTICA Y TECNOLOGÍA

    [...] Vía: Mashable [...]

  • http://www.trishtech.com/ Trisha P.

    Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..

    That password is actually highly secure. But no use if you make it public :P

  • http://www.umalik.com Usman

    Tumblr should really just admit that they cannot handle so much data and let us use external hosting!

  • http://www.umalik.com Usman

    Tumblr should really just admit that they cannot handle so much data and let us use external hosting!

  • http://www.twitter.com/grantruxton Grant Ruxton

    Impressively spun statement from tumblr. Maybe they should allocate more budget to programers and auditors, than PR girls?

  • Anonymous

    Yay! The world would stop revolving without Tumblr!

    http://www.real-privacy.it.tc

  • http://www.deepsoni.me Deep S.

    I have a screen grab. Was fun readin it. Here:
    http://i.imgur.com/NQWg0.png

  • http://way2workfromhome.blogspot.com/ way2workfromhome

    I’m using tumblr, but I think blogger is more secure and easy to use.

  • Anonymous

    Wow – glad I don’t have a tumblr! My Marketing company does, but I dont think a tumblr would benefit me as a divorce attorney. Glad they got it fixed!
    http://www.pkfamilylaw.com

  • http://www.newtechie.com/?p=13 Security Flaw Found in Tumblr, Company Says It’s Now Fixed @ New Techie

    [...] full At Mashable Wow, 0 people read this. Tags: microblogging, Security, Tumblr Category: Internet, Security [...]

  • http://twitter.com/m4tthumphrey Matt Humphrey

    Wow! I like the term “bug” in this case!

  • http://www.deepsoni.me Deep S.

    Yeah seems like they turned off some custom php module by mistake, and its spitting out all the raw output.

blog comments powered by Disqus
Back to top Topics Lists News