Avinash Singh reported the security loops to twitter on 31 March.
AB Wire
Twitter paid $10,080 to Avinash Singh, an Indian white hat hacker, for discovering a security hole through Twitter’s Big Bounty program that allowed him to made vine’s source code publicly available.
As a sort of video-based micro-blogging platform, Twitter found Vine that allows users to upload 6-seconds of looping video.
Singh reported the security loops to twitter on 31 March and they fixed the issue within 5 minutes. The company awarded Avinash $10,080 through a bug bounty start up named HackerOne.
Singh has discovered the code while looking for vulnerabilities censys.io, a search engine that scan networks to help hackers identify vulnerable internet-connected devices.
The whole code for Vine was stored as part of a Docker image used to host the site. Using Censys, Avinash discovered that the image was public not private as it should have been.
“It’s third party keys, API keys and other secrets, even running the image without any parameter, was letting me host a replica of VINE locally,” Singh explained in his blog, called Whiskey Tango Foxtrot.
Singh, whose online handle is ‘avicoder’, also mentioned that he doesn’t intend to share Vine’s source code, and Twitter has already plugged the leak.
“I respect the NDA and fine line between black hat/white hat,” he wrote.
Social Media Update:
Twitter's Vine source code disclosure bug
$10080#BugBountyhttps://t.co/ISQH4SqCMQ pic.twitter.com/Hb6fGw70Qw— avicoder 🧘 (@avicoder) July 22, 2016