Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Social Networks Network Privacy Programming Twitter News Technology

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk) 43

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."
This discussion has been archived. No new comments can be posted.

Vine's Source Code Was Accidentally Made Public For Five Minutes

Comments Filter:
  • o... BeauHD!!! Congratulations!

    Although the title says "Vine's Source Code Was Accidentally Made Public For Five Minutes ", the code was available for an indeterminate amount of time, reported as a problem, asked for more info by Twitter, then fixed 5 minutes after proof was shown.

    Here's the real source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/

    Not some shitty summation from the register.

  • RTFA? Don't bother. The entirety of the article is in the summary, for once.

  • The Docker Registry deployment instructions [docker.com] specifically walk you through restricting access using basic auth. Did someone not read the instructions, or did they try to get fancy and screw something up?

  • The text of the third link reads "this post", but the target is "https://github.com/vjex", which is not actually a post. The *expected* target (avicoder's original post) is quite possibly the most relevant and useful page to associate with the story, yet that's missing in its entirety.

    I try to cut the editors some slack (typos, incomplete sentences, poor wording/grammar, etc...), but a blatantly false title and a mistargeted link are enough to pull me out of the woodwork.

  • ....for longer and some improvements might ensure!
  • I have a new startup everyone should checkout called... umm.. Chime. Yes. Chime. That will do, nicely. It's an innovative app that allows you to upload and share 6 second movies...
  • by El_Muerte_TDS ( 592157 ) on Tuesday July 26, 2016 @02:34AM (#52580379) Homepage

    It was public for a much longer, unknown time.

  • Vine's Source Code Was Accidentally Made Public For Five Minutes

    Incorrect.

    Twitter's bounty program paid out - US$10,080 - and the problem was fixed in March (within five minutes of him demonstrating the issue).

    Who knows how long the docker container was actually available to the public.

    had its source code made publicly available by a bounty-hunter

    Where did that come from? I saw nothing in the article or the blog post that said the "bounty hunter" made the source code available to anyone.

  • I think the next gen version will be called Grape and offer tomorrow's children videos that are 1.8 seconds long.

  • Deploy with one click. But your image contains all your secrets (and outdated libs of course).

This is clearly another case of too many mad scientists, and not enough hunchbacks.

Working...