Guess What? Someone just downloaded Twitter’s Vine complete source code.
Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.
Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle.
While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.
Using Censys, Avinash found over 80 docker images, but he specifically downloaded ‘vinewww‘, due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.
The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. “Even running the image without any parameter, was letting me host a replica of VINE locally,” He wrote.
The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.
Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.