Twitter needed about five minutes to determine a critical security gap that allowed an attacker to download the entire Vine source code from its servers.
Security researcher Avicoder is the one who discovered this security gap and reported it on Twitter on 31 March.
The problem υπήρχε στον Docker που usesby Twitter staff to curate Vine content.
Docker is an open platform for image management and application management in general. It can also be used to create OS images for laptops, VMs or cloud servers
Typically, Docker installations are not accessible to the public because of the sensitive nature of the content they manage.
But as the Twitter Docker seems to be exposed, something that allowed Avicoder to deal with him.
At first glance it discovered that Twitter was not running the latest version of Docker (v2), but an older API, in version 1. Leveraging it by clicking here documentation of the Docker API v1, Avicoder started trying all the commands it could find, figuring out what actions it could perform.
He discovered that some commands enabled him to search and retrieve content from the Twitter Docker settings.
So the researcher discovered and downloaded over 80 server images from the installation of Docker on Twitter.
He then installed several of these OS images on his laptop using a local Docker client and found one of these server images contained the entire Vine source code.
"I was able to see the entire Vine source code, API keys and third-party keys," says Avicoder.
The researcher made his findings on Twitter and five minutes later, Docker's installation was corrected. The company will reward the researcher with 10.080 dollars.
