Short Bytes: An Indian security researcher was able to find Vine’s source code in plain sight. All he had to do was run a pull request of Vine’s publicly visible Docker image and he was even able to host Vine’s website locally. After he reported the bug to Twitter, the company patched the flaw and awarded him $10,080 bug bounty.
Thanks to these bug bounty program, a hacker has gone public, sharing the details of his hack that allowed him to download the entire source code of Twitter’s Vine.
In his post, the Indian bug-hunter Avinash wrote how he accessed the Docker images of Vine–something that was supposed to be a private Docker registry–with a simple pull request.
Avinash writes about different tools that he uses to discover subdomains. Using Censys.io, he was able to locate https://docker.vineapp.com.
As such URLs aren’t supposed to be public, the security researcher smelled something fishy. After playing around with search API endpoint, he was able to find more than 80+ hosted Docker images.
He explains further:
He installed docker client on his Ubuntu VM and downloaded the images via simple pull command:
sudo docker pull https://docker.vineapp.com:443/library/vinewww
Then, he ran docker image vinewww using an interactive shell. Soon he was able to see Vine’s entire source code, API keys, third party keys and other secrets.
He was even able to host a Vine mirror locally by running the Docker image without any parameter.
Avinash reported his bug to Twitter and demonstrated the exploit on 31 March. As a result, Twitter patched the issue and awarded him $10,080 bug bounty.
Did you find this article interesting? Don’t forget to drop your feedback in the comments section below.
Recommended: Getting Started With Docker — Part 1 & 2