This repository has been archived by the owner. It is now read-only.

Tumblr has a lax crossdomain.xml #1536

Closed
chadwhitacre opened this Issue Oct 4, 2013 · 7 comments

Comments

Projects
None yet
2 participants
@chadwhitacre
Contributor

chadwhitacre commented Oct 4, 2013

Reported by @danishtariq in private email.

http://blog.gittip.com/crossdomain.xml

capture

What are the implications of this? The Tumblr admin interface is on https://tumblr.com/, so I'm not sure that we're actually exposed to anything here. Are we?

mvdkleijn added a commit that referenced this issue Oct 7, 2013

Merge pull request #1537 from gittip/1536-ack
Add danishtariq to security.txt for #1536
@zwn

This comment has been minimized.

Contributor

zwn commented Oct 8, 2013

Why is this closed? I don't see any resolution.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Oct 8, 2013

@zwn The security researcher was especially eager to get on our security.txt page, so I added him (why not?) and made this ticket so we'd have something to reference. However, I don't think this is actually a problem. If it is, it's a Tumblr problem (and if we are concerned about it the resolution would be to leave Tumblr). But the Tumblr admin is on a different URL than blog.gittip.com, and it has a much more restrictive policy:

capture

It's possible that there are some endpoints exposed through blog.gittip.com that could raise a whiff of vulnerability. I'm not aware of any and "tumblr crossdomain xml" doesn't turn up much on Google. And what's the worst case? Our blog is defaced or destroyed. Not the end of the world. Therefore I interpret this as a non-issue.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Oct 8, 2013

This seems to explain the purpose of the lax crossdomain.xml on Tumblr:

Yay, tumblr now has crossdomain.xml files for everyone’s tumblelogs, so flash developers can access the tumblr api and feeds without having to use a proxy!

http://blog.daryn.net/post/24938953/crossdomain-xml

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Oct 8, 2013

This Tumblr theme has a crossdomain.xml, but it seems to be there because of HTML5 Boilerplate (compare here). Tumblr's theme docs make no mention of crossdomain.xml, nor do I find anything promising in the Tumblr theme modification UI. The API docs indicate that all API requests go through api.tumblr.com, with the hostname of the blog specified as a path part.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Oct 8, 2013

Here's the v1 docs:

http://www.tumblr.com/docs/en/api/v1

It mentions these two endpoints, which do exist:

The first is read-only and unconcerning to us (though it coheres with the "Yay, tumblr" comment above insofar as the person there wanted to access "the tumblr api and feeds"). The second is actually not documented though it is mentioned at the top.

I really think we don't care about this.

@zwn

This comment has been minimized.

Contributor

zwn commented Oct 8, 2013

Ok, thanks. I was not sure if it was closed intentionally or as a side effect of merging the pull request.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Oct 8, 2013

:-)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.