A single mistyped letter exposed Tumblr’s database and API keys. The news comes via Reddit, the error occured when a coder accidently typed i?php instead i”<“?php. While the exposure was purely accidental, it shows that there’s a need for greater checks and balances within Tumblr
Maxious on Reddit states:
Tumblr pushed a changeset to production (in /var/www/apps/tumblr/config/config.php) that lead to every page starting with “i?php” instead of “<“?php”. Underneath was the includes of all scripts, ranging from the database passwords, to how database servers are taken out of production (commenting out of strings in arrays) to how new postids are assigned (there’s a central webservice), to how sharding is done (if ——>30000 then else if $userid > 60000 then etc.) to all the API credentials used by tumblr scripts…
Tumblr addressed the isses saying:
A human error caused some sensitive server configuration info to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.
We’re triple checking everything and bringing in outside auditors to confirm, but we’ve no reason to believe that anything was compromised. We’re certain that none of your personal info (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.
The fact that this occurred at all is still unacceptable, and we’ll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.