Twitter needed about five minutes to determine a critical security gap that allowed an attacker to download the entire Vine source code from its servers.
Security researcher Avicoder is the one who discovered this security gap and reported it on Twitter on 31 March.
The problem was in the Docker used by Twitter staff to manage it content of Vine.
Docker is an open platform for image management and application management in general. It can also be used to create OS images for laptops, VMs or cloud servers
Typically, Docker installations are not accessible to the public because of sensitiveof the nature of the content they manage.
But as the Twitter Docker seems to be exposed, something that allowed Avicoder to deal with him.
At first glance he discovered that Twitter was not running the latest version of Docker (v2), but an older API, in version 1. Leveraging the webσελίδα documentation of the Docker API v1, Avicoder started testing all the commands that he could find, discovering what actions he could perform.
He discovered that some commands enabled him to search and retrieve content from the Twitter Docker settings.
So the researcher discovered and downloaded over 80 server images from the Docker installation on Twitter.
He then installed several of these OS images on his laptop using a local Docker client and found one of these server images contained the entire Vine source code.
"I was able to see the entire Vine source code, API keys and third-party keys," says Avicoder.
The researcher tweeted his findings, and five minutes later, the Docker installation was fixed. THE company will reward the researcher with $10.080.