An Indian hacker reaped a bounty of $10,080 (roughly Rs6,73,000) from Twitter for identifying a security fault in Vine a video sharing service now owned by the micro-blogging website. Using Censys, Avinash exposed all the codes of the site and discovered that the whole Docker Image is posted as public.
It took Twitter five minutes to fix a critical security flaw that would have allowed an attacker to download Vine's entire source code from its servers. For those unaware, Docker is an open digital platform for developers and system administrators. Docker can be used to install OS images for laptops, VMs, or cloud servers alike.
Using Censys.io Avinash found over 80 docker images, but he specifically went for the "vinewww" just because it looked like public_html, and he sensed that it could contain the source code. "The sub-domain, docker.vineapp.com, displayed the message "/* private docker registry */ in the browser.
Security researcher Avicoder is the one who discovered this issue, which he reported to Twitter on March 31.
"If it is supposed to be private, why is it publicly accessible?" The server itself which was on Amazon Web Services should have been private, but with Censys, Singhdiscovered that the image was public and not private.
Even worse, Twitter wasn't running the latest version of Docker (v2), but an older API, v1.
Singh in a blog post explained that he could see the entire Source Code of Vine, it's third party keys, API keys and other secrets.
Twitter awarded the researcher a reward of $10,080 for his work. Recently, a Bengaluru-based hacker, Anand Prakash, claimed he received $15,000 (approximately Rs 10 lakh) from Facebook for reporting a bug that could have put the social network's 1.6 billion users at risk.