Indian bug-bounty hunter, Avinash got paid $10,080 (around Rs 6.8 lakh) for discovering thatVine’s source code was publicly available.
Twitter founded Vine as a sort of video-based micro-blogging platform. It allows users to upload 6-seconds of looping video. The Hacker News reports that Avinash discovered aDocker image for Vine while looking for vulnerabilities using censys.io.
In Censys’ own words, “Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.” Docker is a container that contains everything needed to run a piece of software, including code, system tools, libraries, etc. It’s similar to a system image, but it’s more flexible and is thus, seeing widespread use.
The entire code for Vine was stored as part of a Docker image used to host the site. The server itself was on AWS (Amazon Web Services) and should have been private. Using Censys, Avinash discovered that the image was public and not private.
On downloading and running the image, he discovered that he could host a local copy of Vine himself and that he could peruse through the source code, API keys and other critical information.
Avinash presented his findings to Twitter on 31 March and they fixed the issue within 5 minutes. In return, Avinash received $10,080 for his troubles.
Bug-bounties seem to be turning into a legitimate source of income for a select few ‘hackers’. We had recently reported on Anand Prakash, another bug-bounty hunter who amassed close to Rs 1.3 crores for his bug-hunting efforts.