Avinash an Indian bug-bounty hunter has recently got paid $10,080 (around Rs 6.8 lakh) for his efforts in discovering that Vine’s source code which was publicly available.
Twitter has founded Vine as a sort of video-based micro-blogging platform, which allows users to upload 6-seconds of a looping video. The reports stated that Avinash discovered a Docker image for the Vine while looking for the vulnerabilities using censys.io.
In Censys’ own words, “Censys is the public search engine which enables researchers to quickly ask questions about hosts and the networks that compose the Internet.”
Docker is considered as a container that contains everything which is needed to run a piece of software, including the code, system tools, libraries, etc. It’s very much similar to a system image, but the only difference is it’s more flexible and is thus, seeing widespread use.
Twitter pays $10,080 to an Indian, for discovering Vine’s source code
The entire code for Vine had been stored as part of a Docker image which was used to host the site. The server itself was on AWS (Amazon Web Services) and which should have been private. Using Censys, Avinash had discovered that the image was public and not private.
On downloading and then running the image, he further discovered that he could host a local copy of Vine himself and then he could peruse through the source code, API keys and other critical information.
Avinash then presented his findings to twitter on date 31 March and they fixed the issue within 5 minutes. In return, Avinash has received $10,080 for his troubles.
Bug-bounties had seem to be turning into a legitimate source of income for some of the selected few ‘hackers’.