Twitter’s Vine source code was recently hacked and released online. In a blog post, security researcher “avicoder” reports that he revealed a “long awaited bug” that he found in Twitter’s Vine, which is a short-form video sharing service used to share 6-second video clips. The micro-blogging giant acquired Vine in 2012.
How was the bug discovered?
Avinash, known by the handle avicoder, is an Indian bug bounty hunter who found a loophole in Vine which allowed him to download a Docker image containing the complete source code of Vine without any hindrance. The hacker further said he started looking at the various points of entry as Vine is within the scope of Twitter’s VRP.
Avinash found a pretty big bug as it paid a bounty of around $10,080. He explained that he picked through Vine’s sub-domains until he found one that might be advantageous. With some more research and hard work, he managed to dig up the entire source code of Vine and download it.
Discussing his journey through the Vine software, Avinash said, “If it is supposed to be private, why is it publicly accessible? There has to be something else going on here.”
Further, on googling private docker registry, he learned that the docker provides a functionality that lets a developer host and share images through the web.
After figuring out that the docker registry is not using the latest version (V2) and that the endpoints are different from the previous ones, he needed to use V1 documentation to access them, he said.
“Only after that was I able to get some useful response from the server,” said Avicoder.
Further, the hacker said that he began by querying “search API endpoint,” which disclosed that around 80+ images are hosted, and this was a “good sign.”
Twitter fixed the bug within five minutes
The 23-year old hacker disclosed the hack on March 31 and demonstrated full exploitation to the micro-blogging site. Also he said Twitter fixed the bug within five minutes of him reporting it, and the big bounty was paid within a couple of days. Avinash has reported 19 vulnerabilities to Twitter so far.
“I started participating in various VRPs in 2015 and have been very active since then. Especially in the Twitter bug bounty programme since the response is quick and they release bounty as soon as the bug is triaged,” he said.
Avinash used Censys.io to search the vulnerabilities in Vine. Censys.io is an all-new hacker search engine similar to Shodan that scans the Internet for vulnerable devices on a daily basis.