GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
He was a white hat hacker—the good kind.
Avinash Singh, an Indian computer security researcher, stumbled across a prized possession earlier this year: the entire source code for Twitter’s short-form video service, Vine.
Singh, who goes by the nickname “avicoder,” uncovered a security hole that allowed him to easily access the cache of code online. In March, he reported the issue to Twitter TWTR 2.07% , which has owned the six-second video service since 2012. Soon after the company fixed the problem and awarded him $10,080 through a partner, bug bounty startup HackerOne.
(Twitter pays bug bounty rewards in amounts that are divisible by $140, a nod to the 140-character limit imposed by the microblogging service on its flagship message board.)
Singh discovered Vine’s valuable code after poking around online with Censys.io, a network-scanning search engine that helps hackers discover vulnerable Internet-connected devices. While doing some reconnaissance, he saw an address that caught his attention: https://docker.vineapp.com.
The subdomain in that URL refers to Docker, a fast-growing Silicon Valley startup that creates technology and data center tools that let developers more quickly spin up software applications and share data. The servers that Singh found hosting the data were unsecured (no passwords or two-factor authentication needed to log in). “If it is supposed to be private, then why is it publicly accessible?” Singh wondered during his probe, which he recently described in a blog post.
After a bit more digital prodding, he said he “was able to see the entire source code of vine, its API keys and third party keys and secrets.”
Not only that, but Singh was able to boot up a virtual replica of Vine on his machine—a scammer’s dream. “Just imagine how handy that would be to a phishing gang,” wrote Paul Ducklin, a computer security expert, on a blog sponsored by the cybersecurity firm Sophos. “No need to create home-made mockups of Vine’s service with fake login screens when you can run a pre-prepared visual clone that looks and feels like the real deal.”
Twitter, once alerted, swiftly took the server off the network. “We fixed this issue within five minutes of it being reported to Vine through Twitter’s Bug Bounty program,” a Vine spokesperson told Fortune in an email. “We also took precautionary steps like revoking and reissuing credentials to ensure that our systems remain safe.”
Singh swore on his blog that he would not release the source code, and there are no indications that it fell into anyone else’s hands.
Singh has reported nearly 20 bugs to Twitter since he started contributing as a so-called bounty hunter last year. He said he primarily focuses on Twitter since they fix problems and pay up quickly, though he has also submitted bugs to Coursera, OwnCloud, and Imgur for a total of 40 vulnerabilities reported through HackerOne to date.