Twitter rewards Indian hacker $10,080 for uncovering Vine security bug

26 Jul 2016

An Indian hacker reaped a bounty of $10,080 (roughly Rs6,73,000) from Twitter for identifying a security fault in Vine – a video sharing service currently  owned by the micro-blogging website.

According to reports, the entire code source of Vine was available publicly online. Avinash Singh, who goes by the nickname 'avicoder', uncovered a loophole in the popular video service that allowed him to easily access the cache of code online.

Singh was apparently able to download a Docker image containing complete source code of Vine as he searched for vulnerabilities, using censys.io. With, Censys, a search engine, computer scientists can discover vulnerable internet-connected devices.

In Censys' own words, ''Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.''

He reported the fault to Twitter in March, which the micro-blogging site fixed in five minutes an awarded him $10,080 bounty.

According to reports, Singh had reported nearly 20 vulnerabilities to Twitter, since he started contributing as an active bug bounty hunter in 2015.

Vine, a short-form video sharing service allows users to share six-second-long looping video clips. It was founded in June 2012, and Twitter acquired it in October of the same year.

Docker, a container has everything needed to run a piece of software, including code, system tools, libraries.

The entire code for Vine formed part of a Docker image used to host the site. The server itself which was on Amazon Web Services should have been private,  but with Censys, Singhdiscovered that the image was public and not private.

On downloading and running the image, Singh discovered that he could host a local copy of Vine himself and peruse through the source code, API keys and other critical information.