Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Mistyped tag leads to exposure of Tumblr DB passwords and API keys
10 points by Maxious on March 19, 2011 | hide | past | favorite
Tumblr pushed a changeset to production (in /var/www/apps/tumblr/config/config.php) that lead to every page starting with i?php instead of <?php. Underneath was the includes of all scripts, ranging from the database passwords, to how database servers are taken out of production (commenting out of strings in arrays) to how new postids are assigned (there's a central webservice), to how sharding is done (if $userid > 30000 then else if $userid > 60000 then etc.) to all the API credentials used by tumblr scripts:

Amazon S3

Google Maps

Heywatch (Video Encoding)

Authorize.net (Credit Card processing)

Vimeo

Clickatell (Mass SMS sending)

Facebook

Recaptcha

Twitter

Some interesting URLs defined later: /coco /kirbabble /collegehumor /newsweek /frederator /sharks_vs_cats /choose_world_cup_flag /nyfw/streams (new york fashion week) /add_haiti_ribbon /pay/:amount/:key/:nipple_direction/:nipple_offset/address /valentine/send/:id /help_beta



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: