Mistyped tag leads to exposure of Tumblr DB passwords and API keys

Sometimes it doesn't matter how robust your security is or how diligently you maintain patches to your system as a single human can always be your weakest point in the operation. Tumblr learned this the hard way after a single mistyped letter exposed their database and API keys.

The information comes via Reddit where a user discovered the exposure. The error happened when a coder accidently typed i?php instead i"<"?php, Maxious states:

Tumblr pushed a changeset to production (in /var/www/apps/tumblr/config/config.php) that lead to every page starting with "i?php" instead of "<"?php". Underneath was the includes of all scripts, ranging from the database passwords, to how database servers are taken out of production (commenting out of strings in arrays) to how new postids are assigned (there's a central webservice), to how sharding is done (if ------>30000 then else if $userid > 60000 then etc.) to all the API credentials used by tumblr scripts:

While the exposure was purely accidental, it shows that there is a need for greater checks and balances within Tumblr, which is something they addressed in a post on their blog:

A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.

We’re triple checking everything and bringing in outside auditors to confirm, but we have no reason to believe that anything was compromised. We’re certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.

The fact that this occurred at all is still unacceptable, and we’ll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.

The exposure of any database is always alarming by the amount of data that could be obtained. While it's not a security best practice, most users do use the same password/handles across multiple sites. While Tumblr does state that they don't believe anything was exposed, it might still be a good idea to change your password if you are a Tumblr user.

Previous Story
ZTE criticise Microsoft and Windows Phone 7
Next Story
.xxx domains get ICANN approval