A researcher earned $10,080 from Twitter's bug bounty program after discovering he could access a supposedly private online registry that led him to the complete source code for Twitter's Vine video-sharing service.
The researcher, known online as Avicoder and identified in some reports as Indian computer security researcher Avinash Singh, reported in a blog post that the vulnerability resided in an insecure setup for Docker, an open-platform software container technology that helps companies build, deploy and run applications.
Earlier this year, Avicoder sniffed out a private Vine app Docker registry that was inadvertently accessible to the public. According to his blog, Avicoder queried the registry and accessed over 80 images, one of which contained “the entire source code of vine, its API keys and third party keys and secrets,” allowing him to “host a replica of Vine locally.”
Avicoder reported the bug to Twitter in March, and the bug was fixed in five minutes.