vine docker image hack 1Short Bytes: An Indian security researcher was able to find Vine’s source code in plain sight. All he had to do was run a pull request of Vine’s publicly visible Docker image and he was even able to host Vine’s website locally. After he reported the bug to Twitter, the company patched the flaw and awarded him $10,080 bug bounty.

Major technology companies like Facebook, Microsoft, Google, and Twitter have a well-organized bug bounty program that allows white hats to attack their websites and servers. These companies are known to pay big amounts of money for finding vulnerabilities in their systems.

Thanks to these bug bounty program, a hacker has gone public, sharing the details of his hack that allowed him to download the entire source code of Twitter’s Vine.

In his post, the Indian bug-hunter Avinash wrote how he accessed the Docker images of Vine–something that was supposed to be a private Docker registry–with a simple pull request.

Avinash writes about different tools that he uses to discover subdomains. Using Censys.io, he was able to locate https://docker.vineapp.com. vine docker image hack 4

As such URLs aren’t supposed to be public, the security researcher smelled something fishy. After playing around with search API endpoint, he was able to find more than 80+ hosted Docker images.

He explains further:

I’ve worked on docker earlier and the experience helped me realize that there could be some chances of finding code in these images. The chances that developers frequently use it to share data, as they do not have to go through the process of setting up the environment again on their local machines, was quite high.

vine docker image hack

He installed docker client on his Ubuntu VM and downloaded the images via simple pull command:

sudo docker pull https://docker.vineapp.com:443/library/vinewww

Then, he ran docker image vinewww using an interactive shell. Soon he was able to see Vine’s entire source code, API keys, third party keys and other secrets. 

He was even able to host a Vine mirror locally by running the Docker image without any parameter.

Avinash reported his bug to Twitter and demonstrated the exploit on 31 March. As a result, Twitter patched the issue and awarded him $10,080 bug bounty.

Did you find this article interesting? Don’t forget to drop your feedback in the comments section below.

RecommendedGetting Started With Docker — Part 1 & 2

Now Watch: