Avicoder who was the first to discover this issue reported the matter to Twitter on March 31.
Theflawin Vine allowed avicoder to download a Docker image containing the source code of the tool.
Docker is an open platform for managing server images, shipping, building, and managing applications.
Docker can be used to install OS images for laptops, VMs, or cloud servers alike.
While running a penetration test, Avinash surprisingly discovered that Vine was using Docker images publicly available online.
Using censys.io, avicoder found a publicly accessible subdomain that appeared to have been configured for Docker.
On further investigation, avicoder queried the API and found a total of 82 images available.
Censys.io gave me an interesting URL https://docker.vineapp.com in its result.
Avinash wrote in a blog post.
If it is supposed to be private, then why is it publicly accessible?
There has to be some thing else to going on here.
One of the images named vinewww was connected to the Vine program.
He downloaded it and examined it with a docker image viewer.
Even running the image without any parameter, was letting me host a replica of VINE locally.
Twitter could have been serving out these Vine images near-publicly for months.
Twitter awarded the researcher a reward of $10,080 for his work in April.
The problem was fixed by the microblogging site within 5 minutes.
source: www.techworm.net
