How Vine’s Entire Source Code Was Online for Anyone to See

How Vine's Entire Source Code Was Online for Anyone to See

HIGHLIGHTS

  • The ethical hacker was taking part in Twitter’s HackerOne programme
  • The hacker gained access to source code through a Docker image
  • The bug was fixed by website within 5 minutes of flaw’s demonstration

Hackers are known to be notorious. They like to find out all the vulnerabilities that various sites possess and depending on their intention, they use this knowledge to either create nuisance for the website owners or inform them about the loopholes to help make the site safer.

The makers of video-clip sharing site Vine, currently owned by Twitter, should be grateful that ethical hacker known by the name ‘avicoder’ chose to be the latter sort when he found a way to download Vine’s entire source code.

For those who are unaware about the subject, a source code for website usually contains confidential information and access to it can leave the site extremely vulnerable to attacks that can potentially even destroy it.

In this case, ‘avicoder’ was just looking at the potential security flaws without any ill intentions and in his blog post, he explained the entire flaw and how he gained the access to the site’s source code through its Docker image, which should ideally have been private but was publicly available. With the image, he was able to run the service locally on his machine.

“I was able to see the entire source code of vine, its API keys and third party keys and secrets. Even running the image without any parameter, was letting me host a replica of VINE locally,” the hacker said in his blog post.

On March 31, avicoder demonstrated a full exploitation of the security flaw to Twitter as part of its HackerOne bounty programme and the site then fixed the bug in around 5 minutes. The hacker was rewarded a bounty of $10,080(roughly Rs. 6,73,000) for informing the site about this flaw.

Tags: Ethical Hacker, Twitter HackerOne, Vine Security Flaw, Vine Source Code

 

[“Source-Gadgets”]

iPhone 6s, iPhone 6s Plus Lock Screen Bypass Lets Anyone Access Contacts, Photos: Report

iPhone 6s, iPhone 6s Plus Lock Screen Bypass Lets Anyone Access Contacts, Photos: Report

Apple may have fixed the bug that was causing several apps to crash on iPad and iPhone when clicking a link, but a new bug discovered since remains unpatched. A lock screen bypass has been discovered that allows users to view contact and photo albums on iPhone 6s and iPhone 6s Plus without unlocking the smartphones with a pass code or Touch ID fingerprint.

A tech enthusiast who goes by the user name Videosdebarraquito on YouTube first discovered the bug. In a video, he showed that an exploit allows a user to access the contact and photo albums of the iPhone 6s or iPhone 6s Plus without unlocking the smartphones.

By default, iOS and Android limit the number of things a user could access on the phone without unlocking the device. An iPhone user, for instance, can access the camera but cannot check the photo album or access contacts. The exploit takes advantage of unauthenticated access to Siri via the lock screen, and Siri’s access to contacts and photos.

To bypass the lockscreen and access the contacts, a user needs to first activate Siri (either with the home button, or hands-free voice command Hey Siri), and search for Twitter. The next part of the trick is to search for “@gmail.com” or the domain name of any other email provider with the “@” prefix, which returns a list of results.

From here, a user is required to click the tweet button and then, using the 3D Touch of the iPhone 6s and iPhone 6s Plus, press on the email address and wait for the pop-up window to appear. According to the YouTuber, users will now see a “Add new contact” button, which they need to click. This will give them access to all photos on the device, and similarly, clicking on “Add to existing contact” will give them access to contacts.

The exploit detailed may require several attempts before Siri searches Twitter for an email address. The Daily Dot reports the exploit works with 3D Touch-enabled iPhone models running iOS 9 and above through to iOS 9.3.1, though the YouTube user only points to iOS 9.3.1.

While we wait for Apple to fix this bug, you can make some tweaks to Settings to prevent unauthorised users from accessing your photos and contacts. Disabling Siri access to photos will prevent anyone to check your photos. You can do so by going to Settings > Privacy > Photos and then disable Siri.

Alternatively, you can disable Siri on the lock screen, making it impossible for anyone to exploit the bug. You can do so by going to Settings > Touch ID & Passcode and disable the Siri switch.

Download the Gadgets 360 app for Android and iOS to stay up to date with the latest tech news, product reviews, and exclusive deals on the popular mobiles.

Apple iPhone 6s

Apple iPhone 6s

  • Design

  • Display

  • Software

  • Performance

  • Battery life

  • Camera

  • Value for money

  • Good
  • Great design
  • Fantastic performance
  • 3D Touch enables new UI paradigms
  • Retina Flash on the front is great
  • Bad
  • Touch ID is too fast!
  • 16GB storage in base variant
  • Expensive
  • Battery life could be better
Read detailed Apple iPhone 6s review
BUY NOW
Apple iPhone 6s Plus

Apple iPhone 6s Plus

  • Design

  • Display

  • Software

  • Performance

  • Battery life

  • Camera

  • Value for money

  • Good
  • Fantastic performance
  • 3D Touch enables new UI paradigms
  • Great camera including brilliant front flash
  • Good battery life
  • Bad
  • Ungainly
  • Touch ID is too fast!
  • 16GB storage in base variant
  • Expensive
  • More big-screen software features would be welcome
Read detailed Apple iPhone 6s Plus review
BUY NOW
Tags: 3D Touch, Apple, iOS, iOS 9, iPhone 6s, iPhone 6s Plus, Mobiles, Siri
[“source-Gadgets”]