A hacker looking for bug bounties has stumbled across a security hole in Vine that allowed him to download the entire source code from a publicly accessible website. He was awarded over $10,000 for the discovery of the blatant internal oversight.
The hacker, a security researcher by the name “avicoder,” has been investigating various bug bounty programs since 2015. Bug bounty schemes are run by tech firms and invite “friendly hackers” to find vulnerabilities in return for a monetary award. They incentivise hackers to use their skills constructively, enabling bugs to be found before those with malicious intentions discover them.
Avicoder has been particularly interested in Twitter’s program because of their quick response time and payment release period. He began to look into subsidiary service Vine, the looping video app where users share six-second videos with their friends.
Using Censys.io, a tool that exposes all the subdomains of a particular domain, avicoder found an interesting resource on Vine’s website. A landing page at “docker.vineapp.com” displayed the message “/* private docker registry */ in the browser.
Docker is a programming tool that allows coders to share data and development environments over the Internet. Avicoder had stumbled upon what appeared to be a code repository for Vine, supposedly “private” but actually in full public view.
After using Docker’s APIs to determine the number of resources present on the server, avicoder noticed a development image named “vinewww.” Downloading the file revealed the entire source code for the Vine website and web app, allowing the researcher to run his own copy of Vine on his local computer.
The source code also gave avicoder access to API keys that could be used maliciously. API keys allow apps to interact with external services such as Facebook and Twitter. By obtaining access to the API keys, a hacker could masquerade as Vine by using its keys to sign-in to other websites.
Avicoder reported the publicly accessible development server on March 21 2016. On March 31, he supplied full exploitation details at Twitter’s request. Within five minutes of sending the response, the bug had been fixed. The server is no longer publicly accessible. On April 2, avicoder received a $10,080 bug bounty for his work.
In a Reddit thread discussing avicoder’s work, programmers pointed out that Docker’s documentation specifically states it does not come with authentication. It advises all developers install their own authentication handler onto their Docker server. Vine missed this crucial step. The public accessibility of the domain indicates very little consideration had gone into the repository’s security.
The discovery is significant as malicious hackers could have discovered the Docker server before avicoder. Vine has been handing out its complete source for months. No authentication was required to access the server and its contents could be retrieved by sending simple HTTP requests to its address. The hole has now been patched but the subdomain still exists.