Twitter recently reported that Avicoder, security researcher, discovered a security flaw within Twitter's Vine code that allowed for the download of Vine's entire source code. At the heart of the vulnerability is the Docker setup Twitter used to manage the Vine account. Avicoder reported the issue to Twitter in March, and was rewarded around $10,000 under Twitter's bug bounty program.
"I was able to see the entire source code of Vine, its API keys and third party keys and secrets," the researcher commented on the Avicoder Report. "Even running the image without any parameter, was letting me host a replica of VINE locally."
Because Docker is used to handling highly sensitive data (e.g. server images, building, application building, OS images, etc.), Docker installations are private (not open to public view). However, Twitter's Docker installation was publicly accessible. Not only was the Docker installation publicly visible, Twitter was using an older Docker version (v1). After experimenting with Docker v1 commands, Avicoder was able to view more than 80 server images from Twitter's Docker installation. One such image included Vine's entire source code.
Within five minutes of Avicoder's report to Twitter, Twitter secured the Docker installation. Avicoder lays out his path to uncovering the vulnerability and exploiting the sensitive data in a detailed post titled Twitter Vine's Source code dump. While the source code should have never been made public, Twitter was quick to respond, and also compensated Avicoder for his services within a couple of days.