Bug makes Vine's source code public

Security hole allowed hackers to download Vine's source code

A bug has allowed a security researcher to download Vine's entire source code.

The researcher, who goes by the moniker Avicoder, found the flaw when looking for faults that would result in a money reward from the six-second video service's bug bounty programme.

In a blog post, Avicoder found the "long awaited bug" after checking the website's security measures. He was interested in Vine's parent website Twitter, which pays out quickly after bugs are found.

Advertisement - Article continues below

Avicoder discovered a sub-domain after using a tool called Censys.io. The sub-domain, docker.vineapp.com, displayed the message "/* private docker registry */ in the browser.

"If it is supposed to be private, why is it publicly accessible? There has to be something else going on here. On googling /* private docker registry */ I get to know that the Docker provides a functionality which allows a developer to host and share images through the web," he said.

"After figuring out that the Docker registry is not using the latest version (V2) and the endpoints are different from previous ones, I needed to use V1 documentation to access them. Only after that was I able to get some useful response from the server," he added.

Avicoder then used Docker's APIs to find resources on the server. He noticed there was a development image called "vinewww". Downloading the code allowed the bug hunter to run his own copy of Vine from his computer.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The code gave the researcher access to API keys that in the wrong hands could have been used maliciously. A hacker could pretend to be Vine by using these keys to sign-in to other websites.

Avicoder reported the bug on 21 March and supplied further details to Twitter on 31 March. Within five minutes the bug had been fixed. Avicoder received $10,080 from the bug bounty programme.

Vine was asked to comment on the story but at the time of writing, it has not responded.

Picture courtesy of Esther Vargas

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020