An Indian-origin bug-bounty hunter managed to get access to Vine’s entire source code, allowing him to host a replica of the site locally. The dangerous oversight could have allowed malicious hackers to easily wreak havoc if it had fallen into more nefarious hands.
Security researcher Avicoder utilized Censys, a public search engine commonly used to find vulnerabilities, to dig into Vine. He discovered that the url ‘https://docker.vineapp.com’ was publicly available when it should have been private. Docker is basically an online platform which lets developers store everything they need to run a particular software such as code and system tools.
Upon visiting the url, Avicoder was presented with a message stating ‘/* private docker registry */.’ After a few experiments, he was able to get access to Vine’s entire source code, API keys, third-party keys, and secrets. This unmitigated entry allowed him to run his very own replica of the site which could have fooled anyone into thinking it was the real deal.
Hosting a fake clone version of a website in order to trick people into revealing their passwords is a common tactic among phishing groups. Thankfully, no one caught wise to Vine’s vulnerability and scammed anyone into handing over their personal details. Avicoder promptly reported the issue to Vine’s parent company Twitter on March 31.
Twitter apparently resolved the major Vine security blunder within 5 minutes and rewarded Avicoder $10080 (roughly Rs 6.8 lakh) for bringing the problem to their attention.