Avinash Singh, an Indian-origin White Hat hacker, has received $10,080 from micro-blogging site Twitter for discovering a security flaw in its Vine video-sharing service. The hacker has discovered a Docker image for Vine which was supposed to be stored in the server of Amazon Web Services. The loophole allowed Avinash to access the complete cache of Vine's online code.
Avinash provided the information about the security flaw to Twitter in March 2016 and was recognised by Twitter by awarding $10,080 through Hackerone, a startup for a bug bounty and a Hacker News website. Twitter was able to rectify the issue within five minutes.
Hackerone reported that Avinash found a Docker image for Vine while searching for vulnerabilities using censys.io. Docker is an open digital platform containing code and libraries that is used by developers and system administrators to build and run applications.
Avinash discovered that the complete code for Vine was stored as part of a Docker image that was used to host the site. Moreover, the server was on Amazon Web Services and should have been private in an ideal condition. However, it was public and Avinash was able to found the Docker image.
In a blog-post, Avinash Singh stated that he was able to discover the complete source code of Vine, its third party keys, API keys and other information. He added that he was able to run the image without any parameters and still host a replica of Vine locally.