14 DAY TRIAL // It took Twitter five minutes to fix a critical security flaw that would have allowed an attacker to download Vine's entire source code from its servers.
Security researcher Avicoder is the one who discovered this issue, which he reported to Twitter on March 31.
At the core of this issue resides an insecure Docker setup used by Twitter's staff to manage Vine's content.
Internet-available Docker installation exposes Vine source code
Docker is an open platform for managing server images, building, shipping and managing applications. Docker can be used to deploy OS images for laptops, VMs, or cloud servers alike.
Usually, Docker installations are not publicly accessible, due to the sensitive nature of the content they handle. Twitter's Docker installation was, and that allowed Avicoder to probe around to see what he could discover.
Even worse, Twitter wasn't running the latest version of Docker (v2), but an older API, v1. Leveraging the Docker API v1 documentation site, Avicoder tried all the commands he could find, to discover what actions he could perform.
He discovered that a range of commands were available to him, including the possibility of searching and retrieving content from Twitter's Docker setup.
Researcher downloaded over 80 Docker images from Twitter's Vine servers
The researcher was able to discover and download over 80 server images from Twitter's Docker installation.
After installing several of those OS images on his laptop using a local Docker client, the researcher realized that one of those server images contained the Vine service's entire source code.
"I was able to see the entire source code of vine, its API keys and third party keys and secrets," Avicoder explains. "Even running the image without any parameter, was letting me host a replica of VINE locally."
The researcher wrote Twitter about his findings. Five minutes later, the Docker installation was secured. The company awarded the researcher a bug bounty reward of $10,080 for his work.
Happiness is this !!! Write-up is coming soon at https://t.co/JbmlhNVzc0 ... pic.twitter.com/phEnaPt39W — {{ avicoder }} (@avicoder) April 2, 2016
