yeah he said he told them. I would have more sympathy if it was an obscure hole, but something this big is just disrespectful to their users.

This is a pretty critical exploit . . . you'd think they'd take the app down or at least change the admin URL while this is resolved. I shouldn't at this moment still be able to reset an arbitrary user's password by going to that URL.

...and how many people have found it and not said anything? we've all used poorly secured admins here and there, but /admin seems particularly egregious.

It was only open for an hour.

No, it was only open and public for an hour. It could have been open for months, maybe longer.

It was the result of a change today, right before it hit Hacker News (so sayeth Marco of tumblr in the #tumblrs irc channel, anyway; I believe him).

As we know, hackers regularly turn random door knobs to see which doors open. Logs i can see show more black hat attempts than white hat, so either OldGregg's friend got lucky or a few exploits might have already been made.

Ah.

Disrespectful to their users? Tumblr is free. I don't think they owe their users absolute iron clad security.

Cool just making sure because it is still up and you would assume something like this would be taken down immediately.