Security Flaw Found in Tumblr, Company Says It’s Now Fixed

It started with a tweet Saturday morning, sounding an alarm of a security breach in the popular microblogging platform Tumblr. “OMG… The Tumbeasts are spitting out passwords!,” it warned.

That tweet spread like wildfire, notifying the world of a coding error that opened a security hole with the potential of revealing users’ passwords, server IP addresses, API keys and personal information.

Fortunately, Tumblr reacted, fixing the problem and then issuing this official message about 5 to 6 hours after the flaw was discovered:

“A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.

We’re triple checking everything and bringing in outside auditors to confirm, but we have no reason to believe that anything was compromised. We’re certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.

The fact that this occurred at all is still unacceptable, and we’ll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.

Please let us know if you have absolutely any questions.”

What caused the error? That’s still under intense discussion at The Hacker News and elsewhere in the hacker community, but many think the culprit was a errant piece of PHP code. Obviously, spelling counts.

Let us know in the comments if you think those who discovered the security flaw were more eager to broadcast its existence than notify the Tumbler coders who might have been in a position to quickly fix it.

More About: Breach, flaw, php, security, tumblr

For more Dev & Design coverage:

This entry was posted in Breach, flaw, php, security, social software, software, tumblr, Web Apps and tagged , , , , , , , , , . Bookmark the permalink.