Twitter, like many other companies, has a bug bounty program that pays fairly well and quickly for anyone who reports a vulnerability. Bug bounties are a concept that involve companies paying hackers to find vulnerabilities in the company's systems. It achieves two things: it allows for a crowd-sourced security analysis, and also deters hackers from maliciously exploiting the vulnerability.
Encouraged by Twitter's bug bounty program, a researcher going by the handle "avicoder" has been looking into Twitter- and Vine-related vulnerabilities for quite some time. What he found earlier most recently, however, is probably more than he bargained for. Using censys.io, avicoder found a publicly accessible subdomain that appeared to have been configured for Docker.
Investigating further, avicoder queried the API and found a total of 82 images available, and noticed one called "vinewww." Assuming it might hold something related to the Vine website - something he was after - he was able to download it and, when he launched it, found that it was the entire website - including the source code, API keys, and various other private pieces of information.
What makes this slightly more significant is that, based on what avicoder has revealed, there was no sort of authentication needed on the server - Twitter could have been serving out these Vine images near-publicly for months. The vulnerability has long since been reported to Twitter by avicoder and it appears to have been triaged, so the resource with the docker images has been at least tentatively patched.
Bug bounties are a two-way thing and Twitter has adequately rewarded avicoder for finding the vulnerability - to the tune of USD$10,080 back in April.
Source: avicoder
4 Comments - Add comment