Share
Share
Tweet
E-Mail
Follow Us

Hacker paid only $10,000 after discovering Vine’s entire source code

Bradley Wint
Jul 28, 2016 11:50pm AST
Photo: Vine

It looks like someone stumbled upon a major Twitter boo boo after they discovered Vine’s entire source code out in the internet wild.

Avinash, an Indian bug-bounty hunter, set out looking for loopholes within Vine, Twitter’s popular short-video sharing service. He used a website called Censys.io to look for subdomains belonging to Vine which should not be in the public’s eye.

He looked for subdomains as it could potentially provide an entry point into the website.

During his search, he came across https://docker.vineapp.com, which was being hosted on an Amazon EC2 virtual server.

Even though the domain did not really show anything useful at the time, he did some Googling and found that Vine was hosting over 80 different developer images on the Amazon server via an app called Docker. Rather than going through each one of them, he tackled an image called vinewww.

He hit big time after discovering the entire website’s source code, API and third party keys, and other secrets.

He was also able to set up a local copy of the website on a VM without much hassle.

vine-local

After reporting the problem to Twitter and replicating his actions, they agreed that they needed to fix the issue, and shut down public access within 5 minutes.

Avinash was paid Rs. 680,000 (which converts to a little over US $10,000) for his efforts.

Maybe it’s just me, but I felt as though Twitter could have forked out a little more than than given that their entire website’s source code was publicly available (even though not accessible by John Doe). I guess that’s the price that comes with white hat hacking though.

Follow Try Modern
Stay in the know_
Sign up for our daily newsletter and follow us on social media.