Twitter has paid an Indian hacker $10,080 for discovering Vine’s source code, uncovering a major security flaw for the company.
Avinash Singh, who is best known online by his nickname “avicoder,” found that the video-sharing app’s source code was publicly available by way of Censys.io, a search engine that enables users to “ask questions” about devices and networks connected to the internet. The search engine is utilized by those looking to uncover vulnerabilities in devices, with Avinash discovering an address for Silicon Valley startup Docker reading docker.vineapp.com. Avinash noted that when he tried to access the site via his browser, it informed him that it was a “private docker registry.” However, in a blog post explaining his finding, Avinash wrote: “If it is supposed to be private, then why is it publicly accessible? There has to be some thing else to going on here.”
He continued: “On googling /* private docker registry */ I get to know that the docker provides a functionality which allows a developer to host and share images through the web.
“I’ve worked on docker earlier and the experience helped me realize that there could be some chances of finding code in these images. The chances that developers frequently use it to share data, as they do not have to go through the process of setting up the environment again on their local machines, was quite high.”
Upon further investigation, Avinash was able to uncover the source code for Vine which, worryingly, allowed him to recreate a thoroughly realistic version of the site, as you can see below:
Image Credit: Avicoder
This would present an issue for Vine and its founding company Twitter, as it would effectively allow phishing sites to trick users into entering their login details into a fake version of the site. Avinash brought the bug to Twitter’s attention, with the site rewarding him a bounty of $10,080 for his troubles.
This isn’t the first time Twitter has paid out cash to hackers who have identified faults with their services, as the company has a policy which sees them paying out cash sums of $140 or more (a reference to the social network’s 140-character limit) to those who detect bugs and aid them in bettering their sites. However, the severity of the bug Avinash uncovered for the site saw them handing him thousands of dollar, which will likely serve as an incentive for other like-minded hackers to begin uncovering their own problems with the micro-blogging platforms.