Hacking xstumbl.com
Xstumbl is an unofficial Tumblr clone that does not censor user content. Created in 2018 to service users who would not be able to post content on Tumblr due to their updated Terms of Service (ToS), the website follows a similar theme to that of the older Tumblr service.
I was made aware of this service through colleagues who use Tumblr, and I wanted to check it out. Xstumbl had gained some traction with the amount of users who were affected by the Tumblr ToS update, and many users started promoting their Xstumbl accounts on their Tumblr ones stating they were leaving.
It is apparent that the webmaster of Xstumbl uses an application from ‘TumblrClone’ which creates a carbon copy Tumblr service for private webmasters to host, commercially.
This specific clone was centered around adult and fringe content, which would make accessing the user base of this service by bad actors increasingly attractive. The service primarily focussed on pornographic content, and therefore anyone with access to the user base could, hypothetically, cause irreparable reputation damage to the users.
The breach occurred when using the platform as an registered user, with verified email address. When searching random terms such as ‘41841hadjad’ using the built-in search feature would not return a 404 page or an ‘no posts found’ but rather a debug screen. This feature was supposed to be disabled post go-live but remained available.
Within the debug was several credentials including that of the root FTP, MySQL and Sendgrid accounts.
Additionally nmap port-scan results showed the following ports open:
21,22,53,80,106,110,143,443,465,993,995,3306
From primary research it appeared that Xstumbl was not using a DDoS or security protection service such as Cloudflare, this allowed me to immediately SSH, FTP and access the MySQL database as an elevated user.
When analysing the users table (circa 2500 users), we found a few corporate accounts of users (which were verified emails) which could, if used incorrectly, cause irreparable reputational damage to users, matching our hypothesis earlier.
At this point it became evident that a major security flaw had been found, and my team and I set out to contact the webmasters and disclose this information securely to them. We were met with gratitude and confusion from an unnamed administrator of the service, who met on a conference call. We explained our attack vector and provided evidence as well. We also offered to support the team in closing this attack vector, to which they kindly refused.
We found this attack vector on December 23rd 2018 and disclosed it that same day with a barrage of evidence. In line with our own internal policies we have a set waiting time before posting this attack vector information, to which we have now exceeded.
I personally reached out to Troy Hunt (founder of haveibeenpwned.com) to supply the credentials that we had gained access to so that users can be informed, we do not believe that xstumbl has disclosed this breach publicly and we cannot confirm how long the attack vector was available, how many people accessed it or if any other attack vectors exist. Credential searching will be available in due course via HaveIBeenPwned and this post updated appropriately.
We do however know that this attack vector in particular has been patched, and is no longer accessible.
If you’d like more information on this specific case or have any questions, feel free to reach out to me:
Connor, Cyber Security/Terrorism Researcher & Consultant
Contact Me / Learn More
