Bug makes Vine's source code public

Security hole allowed hackers to download Vine's source code

A bug has allowed a security researcher to download Vine's entire source code.

The researcher, who goes by the moniker Avicoder, found the flaw when looking for faults that would result in a money reward from the six-second video service's bug bounty programme.

In a blog post, Avicoder found the "long awaited bug" after checking the website's security measures. He was interested in Vine's parent website Twitter, which pays out quickly after bugs are found.

Avicoder discovered a sub-domain after using a tool called Censys.io. The sub-domain, docker.vineapp.com, displayed the message "/* private docker registry */ in the browser.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"If it is supposed to be private, why is it publicly accessible? There has to be something else going on here. On googling /* private docker registry */ I get to know that the Docker provides a functionality which allows a developer to host and share images through the web," he said.

"After figuring out that the Docker registry is not using the latest version (V2) and the endpoints are different from previous ones, I needed to use V1 documentation to access them. Only after that was I able to get some useful response from the server," he added.

Avicoder then used Docker's APIs to find resources on the server. He noticed there was a development image called "vinewww". Downloading the code allowed the bug hunter to run his own copy of Vine from his computer.

The code gave the researcher access to API keys that in the wrong hands could have been used maliciously. A hacker could pretend to be Vine by using these keys to sign-in to other websites.

Avicoder reported the bug on 21 March and supplied further details to Twitter on 31 March. Within five minutes the bug had been fixed. Avicoder received $10,080 from the bug bounty programme.

Vine was asked to comment on the story but at the time of writing, it has not responded.

Advertisement - Article continues below

Picture courtesy of Esther Vargas

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020