The Tumblr Security Hole: Bad Set-up, Bad Response

Oldgregg from Hacker News reported that a friend found a gaping security hole in Tumblr. He and the friend dutifully reported it to Tumblr, then posted it as either news or a warning to other developers that you should always check, double-check, and re-double-check your app's security.

The hole is a pretty big one. By logging into your own Tumblr account, and then manually appending /admin to your URL, you could access the admin panel for the application. Looking up user accounts by email address or URL, you then could access everything from password resets to account settings to the mobile URL for posting to the Tumblr blog. I checked my own (and took screenshots there) before progressing on to other people whose emails I knew as well as general folks I just knew the Tumblr URL for. I was able to view every single one of them.

I kept refreshing after taking my screencaps; it took Tumblr over 45 minutes to get it shut down. FORTY-FIVE MINUTES. That's an insane amount of time, during which I wasn't the only one checking it.

In those same 45 minutes, an untold amount of vandalism could have taken place. For all I know, it may very well have. What would be worse? Having users inconvenienced by taking the whole app down for a few minutes while you sort out exactly what you did wrong, or letting anyone with a Tumblr account (or able to set one up quickly) have access to your admin panel?

In an era of application creation when the barrier to entry is small and developers can push apps out quickly, the possibility of success often hinges on getting your app out first. But for users to trust you, you need to get the app out first and have simple things like security in order. I don't use my Tumblr account very much, but I know of others who use it as their primary blog. I wonder if they'll be second-guessing that decision now.