Guess What? Someone just downloaded Twitter’s Vine complete source code.
Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.
Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle.
Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.
However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.
While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.
Using Censys, Avinash found over 80 docker images, but he specifically downloaded ‘vinewww’, due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.
After the download was complete, he ran the docker image vinewww, and Bingo!
The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.
The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.
Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.