Mike from Instagram here. We've now locked it down more (the actual admin contents were always properly protected).
We're also part of Facebook's bug bounty whitehat program (https://www.facebook.com/whitehat/bounty/), if anyone comes across something in the future, we welcome responsible disclosure and pay out bounties through the program as well.
I would hope so. It shouldn't matter how "easy" something is to find. If the bug was really that easy, the team should have never let it out onto production.
Off the top of my head I can't speak to Facebook's program, but Google's terms include "substantially affects the confidentiality or integrity of user data". A login page that shouldn't be exposed is a marginal finding and might not qualify.
Also: obviously I don't speak for either Facebook or Google, but I strongly recommend against brute-forcing login prompts to try to prove the point that an exposed console is a real finding.
"Report a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure"
^That's Facebook's. Theoretically, an exposed login page "could...enable access to a system within the Facebook infrastructure", but to be fair, I doubt they had that in mind.
it may be a honeypot. I sometimes set up a bogus form under /admin/ which logs attempts. adrian holovaty on the other hand, redirects /admin/ to django docs http://www.holovaty.com/writing/admin-easter-egg/
Given that they don't seem to have any automatic tests or similar for their APIs (check out their Google group and you'll see that stuff have been broken for a long time for all users without attention. When stuff has been broken in the past, Instagram people will ask "is this still a problem?", like they have no way of checking their own APIs...), I wouldn't expect them to be that crafty.
How do you mask your admin portal when you are small enough that you dont have an intranet. Someone on hacker news pointed out to me about my admin portal being open but I never understood how to mask it. http://www.truffle.io/admin/
Any suggestions?
Well, first of all, change the URL to something obscure. That'll take care of most of the problems. Afterwards, you could set SSL certificates so only browsers with the private keys could even access it.
Thanks, I guess I ll explore the option that you described above. Also there is one more thing I am curious about, so heroku does gives a free SSL certificate but that only works for their domain meaning something like truffleapp.herokuapp.com, it doesn't work for the custom domain. Do you know any way where I can save money on buying SSL certificate and rather use heroku's certificate. All the certificates put atleast a 1000$ hole in the pocket but eventually in a week or so if I can't figure out how to use heroku SLL, I have to spend that money
StartCom offers free SSL certificates that are recognized by most browsers: http://cert.startcom.org/
Heroku will still probably charge you a basic fee for enabling SSL, since each certificate requires a dedicated (non-shared) IP address... at least until SNI support becomes more commonplace.
Edit: Just to reiterate what others have said, this is a server-side certificate, which is primarily used for encryption. You'll also want to generate a client-side certificate for authentication purposes. That's something you'd do entirely on your own, no need to go through a third-party CA for that.
Note that StavrosK is probably talking about SSL client authentication, which isn't what most people think about when talking about SSL. Basically, it enables you to allow access only to people with a certain client certificate installed in their browser (i.e., proving the clients' identity to the server, not just the other way around).
Unfortunately I have no idea how this would work on Heroku.
Limit access in the firewall/load balancer/webserver to whitelisted ip addresses. If you don't have static ips at your office or a vpn, include the ip of a VPS or dev server, and use ssh forwarding (-D for a socks proxy) to access the admin site. And if you're running everything from one server, you can even limit connections to localhost and tunnel connections through there.
I'm not sure what the point in linking to this is. If you regard it as security hole, alert Instagram. If you just want to let people know that Instagram uses Django... well, that information is already on https://www.djangoproject.com.
I changed the top bar color from that blue green to a red on the production deployment of my app- helps avoid forgetting which deployment you are messing with.
It would actually be quite interesting to see how large enterprise clients modify/utilize the Django admin... if at all.
Other than Grappelli, I've historically used the admin pretty much as-is. Creating admin functions is one thing, but lots of custom screens is quite another.
I also think that's one thing really lacking from the Django documentation, really great customization of the Admin.
Most of the Django projects I've worked on, people tended to make their own admin panels with things like Bootstrap and Foundation. Django's core team have made their goals clear for the next admin, extensibility and adaptability. https://github.com/twoscoops/django-admin2
We're also part of Facebook's bug bounty whitehat program (https://www.facebook.com/whitehat/bounty/), if anyone comes across something in the future, we welcome responsible disclosure and pay out bounties through the program as well.