The code included "API keys, third party keys and secrets", he writes.
Vine, a short-form video sharing service where users can share six-second-long looping video clips, was founded in June 2012, and was acquired by Twitter in October in the same year. Usually, Docker installations are not publicly accessible, however; Vine faced grave threat as its source code was reportedly downloaded by a hacker due to this situation of vulnerability.
Docker - an open platform used to manage server images and applications, recently exposed Vine's source code. He was interested in Vine's parent website Twitter, which pays out quickly after bugs are found. But, it was public and using Censys, Avinash was able to discover the Docker image. "The sub-domain, docker.vineapp.com, displayed the message "/* private docker registry */ in the browser.
Even worse, Twitter wasn't running the latest version of Docker (v2), but an older API, v1. "Only after that was I able to get some useful response from the server", he added. Docker can be used to install OS images for laptops, VMs, or cloud servers alike. Downloading the code allowed the bug hunter to run his own copy of Vine from his computer. A hacker could pretend to be Vine by using these keys to sign-in to other websites.
According to Singh, the company fixed the problem within five minutes of him reporting it and awarded him $10,080 in return for pointing out the flaw.
On March 31, avicoder demonstrated a full exploitation of the security flaw to Twitter as part of its HackerOne bounty programme and the site then fixed the bug in around 5 minutes.
Vine was asked to comment on the story but at the time of writing, it has not responded.