Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk) 43
An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."
and the award for the most misleading title goes t (Score:1)
o... BeauHD!!! Congratulations!
Although the title says "Vine's Source Code Was Accidentally Made Public For Five Minutes ", the code was available for an indeterminate amount of time, reported as a problem, asked for more info by Twitter, then fixed 5 minutes after proof was shown.
Here's the real source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
Not some shitty summation from the register.
Re: (Score:1)
Agreed, I noticed this immediately. I RTFA (which is practically the same as the summary anyway) just to check. Thanks for the link.
Re:and the award for the most misleading title goe (Score:4, Funny)
o... BeauHD!!! Congratulations!
Oh come on now. Don't be so hard on the poor guy. At least this time he didn't add a gratuitous link to something like grape vines of Southern California.
Re: (Score:2)
That's funny, because this page:
http://www.techinvestornews.co... [techinvestornews.com]
sometimes has non-Apple Inc. related articles on it.
Their scanner doesn't reject pages well enough. IIRC, they're usually companies in other industries with Apple in the name, not actual produce-related articles. In my very quick skim of the first page right now, I don't see any non-Apple Inc. related articles.
RTFA? (Score:2)
RTFA? Don't bother. The entirety of the article is in the summary, for once.
Not even using basic auth? (Score:2)
The Docker Registry deployment instructions [docker.com] specifically walk you through restricting access using basic auth. Did someone not read the instructions, or did they try to get fancy and screw something up?
Re: (Score:2)
It's like those plug-n-play wireless routers back in the day. Who needs instructions when it works out-of-the-box.
Still a felony under the CFAA (Score:2)
Still a felony under the CFAA better get a good lawyer.
Re: (Score:2)
Not even that. The Docker control system (docker-compose, or any of the clustering stuff) should mount keys and configurations as a volume, which you handle through a separate supply chain (which is better-controlled).
Re: (Score:2)
Finally truth in an ad revenue site valuation. The code ain't the value.
Re: (Score:2)
Re: (Score:1)
Please read the summary again, with particular attention to phrases like "its API keys and third party keys and secrets." -PCP
Re: (Score:2)
"its API keys and third party keys and secrets." -PCP
But who cares? That's just an administrative issue.
Those API keys are their own, yes? So they can just change them and update all of their clients/users.
If the keys are for other third party services then they can have them reissued - and of course they are probably only talking about some video encoding service as well as the gob loads of advertising 3rd parties, and who cares about them anyway?
The source code is probably a hodge-podge mish-mash of crap
Wrong link? (Score:1)
The text of the third link reads "this post", but the target is "https://github.com/vjex", which is not actually a post. The *expected* target (avicoder's original post) is quite possibly the most relevant and useful page to associate with the story, yet that's missing in its entirety.
I try to cut the editors some slack (typos, incomplete sentences, poor wording/grammar, etc...), but a blatantly false title and a mistargeted link are enough to pull me out of the woodwork.
make it public... (Score:1)
In other news (Score:2)
Re: (Score:2)
Make it seven seconds, take over the world.
It was fixed in 5 minutes. (Score:3)
It was public for a much longer, unknown time.
Crap Headline and Summary (Score:2)
Vine's Source Code Was Accidentally Made Public For Five Minutes
Incorrect.
Twitter's bounty program paid out - US$10,080 - and the problem was fixed in March (within five minutes of him demonstrating the issue).
Who knows how long the docker container was actually available to the public.
had its source code made publicly available by a bounty-hunter
Where did that come from? I saw nothing in the article or the blog post that said the "bounty hunter" made the source code available to anyone.
6 seconds is too long (Score:2)
I think the next gen version will be called Grape and offer tomorrow's children videos that are 1.8 seconds long.
And that's the problem with docker (Score:2)
Deploy with one click. But your image contains all your secrets (and outdated libs of course).