Docker is an open platform for managing server images, building, shipping and managing applications.
Advertisement
Twitter’s Vine source code was recently hacked and released online.
Using Censys.io Avinash found over 80 docker images, but he specifically went for the “vinewww” just because it looked like public_html, and he sensed that it could contain the source code.
On March 31, avicoder demonstrated a full exploitation of the security flaw to Twitter as part of its HackerOne bounty programme and the site then fixed the bug in around 5 minutes.
Usually, Docker installations are not publicly accessible, due to the sensitive nature of the content they handle. On further investigation, avicoder queried the API and found a total of 82 images available. In a blog post, Prakash wrote that on February 22, he had found a simple vulnerability that could have been used to hack into any user’s Facebook account and get access to their credit or debit card details, personal pictures and messages. There has to be some thing else to going on here. The server itself was on AWS (Amazon Web Services) and should have been private. He downloaded it and examined it with a docker image viewer.
About filching Vine’s entire source code which he stumbled upon earlier this year, Singh has revealed in a recent blog post that he discovered a security vulnerability which enabled him to easily access the cache of code online.
Avicoder was able to make a local version of Vine using its source code.
According to Singh, the company fixed the problem within five minutes of him reporting it and awarded him $10,080 in return for pointing out the flaw.
Advertisement
Twitter awarded the researcher a reward of $10,080 for his work.
