According to an Indian hacker, he recently discovered that Twitter subsidiary Vine's source code was open, which basically means that it was out in the open for anyone to see, copy and practically clone the Vine website. When he reported the vulnerability to the company, he was awarded $10,800 (Approx ₹6.8 lakh) under their 'Bug Bounty' program.
Avinash found the bug and reported it to Vine on 21 March. He was able to download the complete image of Vine source code through Docker which is a web container for providing tools for websites. This container was hosted on a public AWS (Amazon Work Service) domain.
"I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter was letting me host a replica of VINE locally," Avinash wrote on his blog.
Here is the timeline of what happened when Avinash reported the bug.
- March 21,2016 - Bug Reported through Hackerone
- March 22,2016 - Need more info
- March 31,2016 - Full exploitation shown
- March 31,2016 - Bug fixed (within 5 minutes)
- April 2,2016 - $10,080 Bounty awarded
Twitter has been taking their Bug Bounty program very seriously. In March, it was reported that the micro blogging social network had paid almost $300,000 over 2 years to the hackers who had reported bugs.
Facebook is another company known for giving handsome rewards for finding vulnerabilities in its website or app. They have paid over $4.3 million to more than 800 researchers since the program was started in 2011. Earlier this year, a techie from Bengaluru was awarded $15,000 by Facebook for finding a bug related to password protection of accounts.