Hacker Accesses And Downloads Vine’s Entire Source Code
Indian security researcher and bug hunter Avinash “avicoder” could easily access and download the entire Twitter’s Vine source code. However, it took Twitter five minutes to fix a critical security flaw that would have allowed an attacker to download Vine’s entire source code from its servers. Avicoder who was the first to discover this issue reported the matter to Twitter on March 31.
Acquired by Twitter in 2012, Vine is a short-form video sharing service that allows users to share small videos of 6 seconds looping them.
The flaw in Vine allowed avicoder to download a Docker image containing the source code of the application.
Docker is an open platform for managing server images, shipping, building, and managing applications. Docker can be used to install OS images for laptops, VMs, or cloud servers alike.
While running a penetration test, Avinash surprisingly discovered that Vine was using Docker images publicly available online. Using censys.io, avicoder found a publicly accessible subdomain that appeared to have been configured for Docker. On further investigation, avicoder queried the API and found a total of 82 images available.
“Censys.io gave me an interesting URL https://docker.vineapp.com in its result.” Avinash wrote in a blog post. “If it is supposed to be private, then why is it publicly accessible? There has to be some thing else to going on here. On googling /* private docker registry */ I get to know that the docker provides a functionality which allows a developer to host and share images through the web.”
One of the images named “vinewww” was connected to the Vine application. He downloaded it and examined it with a docker image viewer. On launching it, he found that the complete source code of the Vine platform including the source code, API keys, third-party keys and various other private pieces of information was on the screen.
“I was able to see the entire source code of vine, its API keys and third party keys and secrets. Even running the image without any parameter, was letting me host a replica of VINE locally.” added the expert.
Based on what avicoder has revealed, what makes this slightly more important is that there was no sort of authentication needed on the server. Twitter could have been serving out these Vine images near-publicly for months.
Twitter awarded the researcher a reward of $10,080 for his work in April. The problem was fixed by the microblogging site within 5 minutes.