Network Security, Vulnerability Management

Researcher scores $10K+ bounty for digging up Vine’s source code

A researcher earned $10,080 from Twitter's bug bounty program after discovering he could access a supposedly private online registry that led him to the complete source code for Twitter's Vine video-sharing service.

The researcher, known online as Avicoder and identified in some reports as Indian computer security researcher Avinash Singh, reported in a blog post that the vulnerability resided in an insecure setup for Docker, an open-platform software container technology that helps companies build, deploy and run applications.

Earlier this year, Avicoder sniffed out a private Vine app Docker registry that was inadvertently accessible to the public. According to his blog, Avicoder queried the registry and accessed over 80 images, one of which contained “the entire source code of vine, its API keys and third party keys and secrets,” allowing him to “host a replica of Vine locally.”

Avicoder reported the bug to Twitter in March, and the bug was fixed in five minutes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.