Indian bug bounty hunter, Avinash, found Vine’s source code publically available online. Avinash alerted Twitter of the security flaw, and was rewarded around Rs 6.8 lakh.
An Indian white-hat hacker, Avinash, who goes by the handle @avicode discovered a major security flaw in Twitter-owned Vine’s source code. Avinash found that Docker images used by Vine, that are ideally supposed to be private, were publically available on web, which allowed him to download the entire source code of Vine without going through any trouble at all.
On March 31, Avinash alerted Twitter of the security flaw, which was consequently fixed minutes after being informed. In return, Twitter rewarded Avinash $10,080, which is about Rs 6.8 lakh, for pointing out the flaw.
Avinash found that Vine’s source code was publicly available, and was also able to see its API keys and third-party keys and secrets. Even running the image without any parameter, was allowing him to host a replica of Vine locally. In other words, someone with ulterior motives would not have to create a mock-up of the Vine’s services or create fake log-in screens to fool a user. The open source code would be like offering a bait to phishing gangs on a silver platter.
Fortunately, before a group of hackers found and attacked this flaw in Vine’s source code, Avinash found the loophole and Twitter fixed it immediately.
Avinash, in his blog, explains how he procured the source code of Vine. While discovering sub domains for Twitter VRP, he came across the URL https://docker.vineapp.com on Censys.io. When he tried to access it via the browser, it showed /* private docker registry */ in the response, without needing to log in.
Using Censys.io Avinash found over 80 docker images, but he specifically went for the ‘vinewww’ just because it looked like public_html, and he sensed that it could contain the source code. And bull’s eye! The docker image contained the entire source code for Vine.
However, instead of misusing the information, Avinash immediately informed Twitter of the security flaw. The 23-year-old bug bounty hunter also wrote in his blog that he started participating in various VRPs in 2015 and has been very active since. He especially takes part in the Twitter Bug bounty program since Twitter responds quickly and release bounty as soon as the bug is triaged.
Similar was a case of a Anand Prakash, a Bangalore-based white hat hacker and security analyst at Flipkart. He was rewarded Rs 10 lakh for finding a Facebook bug. It was learnt that the hacker had bagged about Rs 1.1 crore from different bug bounty programs.
Xiaomi Redmi Pro: Price, Specifications and Features
Experimental investigation found that the diameter greater than 10mm pen easy to have to use more than half an hour to produce fatigue,
9.5mm diameter is just right, both beauty and comfort.
Source: bgr.in
Top Brands
