Twitter pays Indian hacker Rs 6.8 lakh for discovering Vine’s source code
Indian bug bounty hunter, Avinash got paid $10,080 (around Rs 6.8 lakh) for discovering that Vine’s source code was publicly available.
Twitter founded Vine as a sort of video-based micro-blogging platform. It allows users to upload 6-seconds of looping video. The Hacker News reports that Avinash discovered a Docker image for Vine while looking for vulnerabilities using censys.io.
He is a white hat hacker—the good kind
Avinash Singh, an Indian computer security researcher, stumbled across a prized possession earlier this year: the entire source code for Twitter’s short-form video service, Vine.
Singh, who goes by the nickname “avicoder,” uncovered a security hole that allowed him to easily access the cache of code online. In March, he reported the issue to Twitter TWTR -10.24% , which has owned the six-second video service since 2012. Soon after the company fixed the problem and awarded him $10,080 through a partner, bug bounty startup HackerOne.
Singh discovered Vine’s valuable code after poking around online with Censys.io, a network-scanning search engine that helps hackers discover vulnerable Internet-connected devices. While doing some reconnaissance, he saw an address that caught his attention:
The subdomain in that URL refers to Docker, a fast-growing Silicon Valley startup that creates technology and data center tools that let developers more quickly spin up software applications and share data. The servers that Singh found hosting the data were unsecured (no passwords or two-factor authentication needed to log in). “If it is supposed to be private, then why is it publicly accessible?” Singh wondered during his probe, which he recently described in a blog post.
In Censys’ own words, “Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.”Docker is a container that contains everything needed to run a piece of software, including code, system tools, libraries, etc. It’s similar to a system image, but it’s more flexible and is thus, seeing widespread use.
The entire code for Vine was stored as part of a Docker image used to host the site. The server itself was on AWS (Amazon Web Services) and should have been private. Using Censys, Avinash discovered that the image was public and not private.
On downloading and running the image, he discovered that he could host a local copy of Vine himself and that he could peruse through the source code, API keys, and other critical information.
Avinash presented his findings to Twitter on 31 March and they fixed the issue within 5 minutes. In return, Avinash received $10,080 for his troubles.