simon koldyk

TechCrunch made a post today (that they got from Hacker News) about a exploit in Tumblr that would allow you to access the administration area of the site simply by logging in and adding /admin/ to the url. You could add posts, change peoples emails and reset their password; easily a few bad people could do a lot of damage and apparently some were affected. While this is a stupid programming mistake by Tumblr their should be quite a bit of security on the administration panels, I want to talk about what TechCrunch did.

They posted it without notifing Tumblr and waiting the hour for them to fix it or deny access to the /admin/ url. I believe in publishing when a company makes a mistake of this magnitude to show people why they should be concerned with security, and showing the specifics so people can learn from this. Publishing this information before a fix is made or before a fix is out (withing a resonable time frame) is crazy.

Just think about if this was your startup and TechCrunch blogged about your startups exploit, it could screw over a lot of your users.

This entry was posted on Tuesday, April 15th, 2008 at 2:57 pm and is filed under Business, Startups. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.