When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Hacker finds security hole in Vine that allowed him to download the entire source code

Image: Avicoder

Twitter, like many other companies, has a bug bounty program that pays fairly well and quickly for anyone who reports a vulnerability. Bug bounties are a concept that involve companies paying hackers to find vulnerabilities in the company's systems. It achieves two things: it allows for a crowd-sourced security analysis, and also deters hackers from maliciously exploiting the vulnerability.

Encouraged by Twitter's bug bounty program, a researcher going by the handle "avicoder" has been looking into Twitter- and Vine-related vulnerabilities for quite some time. What he found earlier most recently, however, is probably more than he bargained for. Using censys.io, avicoder found a publicly accessible subdomain that appeared to have been configured for Docker.

Image: Avicoder

Investigating further, avicoder queried the API and found a total of 82 images available, and noticed one called "vinewww." Assuming it might hold something related to the Vine website - something he was after - he was able to download it and, when he launched it, found that it was the entire website - including the source code, API keys, and various other private pieces of information.

Image: Avicoder

What makes this slightly more significant is that, based on what avicoder has revealed, there was no sort of authentication needed on the server - Twitter could have been serving out these Vine images near-publicly for months. The vulnerability has long since been reported to Twitter by avicoder and it appears to have been triaged, so the resource with the docker images has been at least tentatively patched.

Bug bounties are a two-way thing and Twitter has adequately rewarded avicoder for finding the vulnerability - to the tune of USD$10,080 back in April.

Source: avicoder

Report a problem with article
Next Article

HTC Desire 530 unboxing and first impressions

Previous Article

Here's what's fixed and improved in Windows 10 build 14393.3

Join the conversation!

Login or Sign Up to read and post a comment.

4 Comments - Add comment