Tumblr 'Database and API Keys' Exposed with a Mistyped Tag

A single mistyped letter exposed Tumblr's database and API keys. The news comes via Reddit, the error occured when a coder accidently typed i?php instead i"<"?php. While the exposure was purely accidental, it shows that there's a need for greater checks and balances within TumblrMaxious on Reddit states:Tumblr pushed a changeset to production (in /var/www/apps/tumblr/config/config.php) […]

Share online:

A single mistyped letter exposed Tumblr's database and API keys. The news comes via Reddit, the error occured when a coder accidently typed i?php instead i"<"?php. While the exposure was purely accidental, it shows that there's a need for greater checks and balances within Tumblr

Maxious on Reddit states:

Tumblr pushed a changeset to production (in /var/www/apps/tumblr/config/config.php) that lead to every page starting with "i?php" instead of "<"?php". Underneath was the includes of all scripts, ranging from the database passwords, to how database servers are taken out of production (commenting out of strings in arrays) to how new postids are assigned (there's a central webservice), to how sharding is done (if ------>30000 then else if $userid > 60000 then etc.) to all the API credentials used by tumblr scripts…

Tumblr addressed the isses saying:

A human error caused some sensitive server configuration info to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.

We're triple checking everything and bringing in outside auditors to confirm, but we've no reason to believe that anything was compromised. We're certain that none of your personal info (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.

The fact that this occurred at all is still unacceptable, and we'll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.

[Source: 1, 2]

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.