It looks like someone stumbled upon a major Twitter boo boo after they discovered Vine’s entire source code out in the internet wild.
Avinash, an Indian bug-bounty hunter, set out looking for loopholes within Vine, Twitter’s popular short-video sharing service. He used a website called Censys.io to look for subdomains belonging to Vine which should not be in the public’s eye.
He looked for subdomains as it could potentially provide an entry point into the website.
During his search, he came across https://docker.vineapp.com, which was being hosted on an Amazon EC2 virtual server.
Even though the domain did not really show anything useful at the time, he did some Googling and found that Vine was hosting over 80 different developer images on the Amazon server via an app called Docker. Rather than going through each one of them, he tackled an image called vinewww.
He hit big time after discovering the entire website’s source code, API and third party keys, and other secrets.
He was also able to set up a local copy of the website on a VM without much hassle.
After reporting the problem to Twitter and replicating his actions, they agreed that they needed to fix the issue, and shut down public access within 5 minutes.
Avinash was paid Rs. 680,000 (which converts to a little over US $10,000) for his efforts.
Maybe it’s just me, but I felt as though Twitter could have forked out a little more than than given that their entire website’s source code was publicly available (even though not accessible by John Doe). I guess that’s the price that comes with white hat hacking though.