Whoops. Well they've done studies to show common typos don't affect the meaning too much. I've updated it though -
"Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe." - http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/
This should not have been posted before it was fixed. We all make mistakes, even stupid ones, and I'm sure none of us would like this happening to them.
A bit of professional courtesy would have been in order.
No, you just need functional tests. Having these kind of bugs in a spare time project is fine, but if you call yourself a startup and ask customers to trust you with data, you need to seriously consider security issues.
This is a pretty critical exploit . . . you'd think they'd take the app down or at least change the admin URL while this is resolved. I shouldn't at this moment still be able to reset an arbitrary user's password by going to that URL.
...and how many people have found it and not said anything? we've all used poorly secured admins here and there, but /admin seems particularly egregious.
As we know, hackers regularly turn random door knobs to see which doors open. Logs i can see show more black hat attempts than white hat, so either OldGregg's friend got lucky or a few exploits might have already been made.
If that's true, the lead developer should be fired on the spot. They use that "good" old "security by obscurity". I thought this technique was dead long ago....
Yes, Errare human est. I guess natural selection will take care of companies like this.
If the developer is the CEO, then the investors should be concerned.
I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.
Oh well, everyone overlooks something that seems obvious to someone else, I guess.
a little harsh maybe....developers make mistakes...probably just forgot about it while trying to get the initial release out the door.... its not like tumblr is a bank or the DoD
Forgetting to secure the admin panel isn't a little mistake though and is easy enough to detect "Hey, I didn't have to log in to an admin account to use the admin panel thats weird".
Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.
I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)
ok, maybe :)
But forgeting to secure your admin area deserves more than a simple warning. Can you imagine if the person that discovered the vulnerability decided to delete all the user accounts?
I didn't know what Tumbler is and I created an account just to confirm the hack (the security hole is still there). But this got me thinking about another post at HN on how to market your site - I guess a blatant (fake?) security hole is one way to do it.
Uh yeah. You must be part of the same marketing team that advises car manufacturers to stage huge vehicle safety recalls. That'll really get the customers knocking.
Tumblr has a great but small team, just like most of us on this site. As someone who makes mistakes, I offer them empathy and sympathy.
The MIT computer lab used to forgo passwords. If you wanted to dick with the system you could, so it removed the thrill of "breaking in". You could mess with other people's accounts but they could mess with yours, too. Kind of like how everyone in Texas carries guns starting in kindergarten and so everyone is really polite.
I think it's a great lesson so I think I'll make my startup's vital information globally accessible (admin functions, source code, even my billing info for the ISP) and trust to my fellow human beings' goodwill.
Edit: just confirmed that it works.
Basically let's you search users by id or email then give you ability to change their email/reset password.