How Vine’s Entire Source Code Was Online for Anyone to See

sristy
How Vine's Entire Source Code Was Online for Anyone to See

HIGHLIGHTS

  • The ethical hacker was taking part in Twitter’s HackerOne programme
  • The hacker gained access to source code through a Docker image
  • The bug was fixed by website within 5 minutes of flaw’s demonstration

Hackers are known to be notorious. They like to find out all the vulnerabilities that various sites possess and depending on their intention, they use this knowledge to either create nuisance for the website owners or inform them about the loopholes to help make the site safer.

The makers of video-clip sharing site Vine, currently owned by Twitter, should be grateful that ethical hacker known by the name ‘avicoder’ chose to be the latter sort when he found a way to download Vine’s entire source code.

For those who are unaware about the subject, a source code for website usually contains confidential information and access to it can leave the site extremely vulnerable to attacks that can potentially even destroy it.

In this case, ‘avicoder’ was just looking at the potential security flaws without any ill intentions and in his blog post, he explained the entire flaw and how he gained the access to the site’s source code through its Docker image, which should ideally have been private but was publicly available. With the image, he was able to run the service locally on his machine.

“I was able to see the entire source code of vine, its API keys and third party keys and secrets. Even running the image without any parameter, was letting me host a replica of VINE locally,” the hacker said in his blog post.

On March 31, avicoder demonstrated a full exploitation of the security flaw to Twitter as part of its HackerOne bounty programme and the site then fixed the bug in around 5 minutes. The hacker was rewarded a bounty of $10,080(roughly Rs. 6,73,000) for informing the site about this flaw.

Tags: Ethical Hacker, Twitter HackerOne, Vine Security Flaw, Vine Source Code

 

[“Source-Gadgets”]