Hacker Downloads Twitter's Vine Full Source Code and Gets Paid $10,000 for Reporting It


Guess What? Someone just downloaded Twitter’s Vine complete source code and was paid about  $10,000 for it . Seems I'm going to become a bounty hunter soon.. Hehehe.

Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012. 

Indian Bug bounty hunter Avinash discovered a loop hole in vine  that allowed him to download a Docker image containing complete source code of Vine without any hassle. 

Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate. 

However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online. 

While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices. 

Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server. 

After the download was complete, he ran the docker image vinewww, and Bingo! 

The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. " Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote. 

The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes. 

Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.

If you liked this post please subscribe to my channel Subscribe Here
Don't Forget To Share This And Comment

Support NaijaTechGuy - Subscribe To My Channel And Stand A Chance To Win Amazing Prizes

If you wish to comment anonymously without Facebook, please scroll down and use the second comment box

Share This :

I'm a Computer Science Student of The University of Port Harcourt and a Chelsea Fan. I love RnB and A little Trap Music. Tech flows in my veins. I love to have fun with friends and I read a lot. 

Related Post