Denne side bruger cookies
Dette forum bruger cookies. Hvis du er registreret, bruges de til at huske hvem du er logget ind som. Hvis ikke, gemmer vi dit sidste besøgstidspunkt. Besøgstidspunktet bruges bl.a. til at holde øje med, hvilke tråde du allerede har læst. Cookies er små tekstdokumenter, som bliver gemt i din browser og udgør ingen sikkerhedsrisiko. Tryk "Mere Information" nedenfor, for en liste over de cookies vi sætter. Du har mulighed for at fravælge cookies ved at klikke på knappen "Blokér Cookies" i bunden af denne boks.

En ikke-personhenførbar cookie vil blive gemt i din browser, uanset dit valg (Medmindre du ikke foretager et). Således undgår du at blive spurgt igen. Du kan til enhver tid ændre dit valg via linket i bunden af siden.

Tråd bedømmelse:
  • 0 Stemmer - 0 Gennemsnit
  • 1
  • 2
  • 3
  • 4
  • 5
Avicoder - Twitter's Vine Source code dump
25-07-2016, 14:14
Avicoder - Twitter's Vine Source code dump
Citer:Twitter's Vine Source code dump
6 Seconds are not enough
The following post provides details only about the process I followed to procure the source code of Vine. I have not and will not disclose the source code because it’s AGAINST THE LAW!!!

Hello Hackers!

Today I am going to disclose a long awaited bug, which I found in Twitter’s Vine.

I started participating in various VRPs in 2015 and have been very active since then. Especially in the Twitter Bug bounty program since their response is quick and they release bounty as soon as the bug is triaged.

As Vine is within the scope of Twitter VRP, I started looking at the various points of entry I could access.

Discovering subdomains is an important part of reconnaissance, which of late, are mostly automated with various tools.

But I prefer:

CSP headers gave me an interesting URL in its result.


When I tried to access it via the browser, it shows /* private docker registry */ in the response.

If it is supposed to be private, then why is it publicly accessible? There has to be some thing else to going on here. On googling /* private docker registry */ I get to know that the docker provides a functionality which allows a developer to host and share images through the web.

I’ve worked on docker earlier and the experience helped me realize that there could be some chances of finding code in these images. The chances that developers frequently use it to share data, as they do not have to go through the process of setting up the environment again on their local machines, was quite high. However, since I wasn’t too familiar with docker APIs, I faced some trouble while accessing images endpoints. The ones I could access, unfortunately, were not giving any useful results.

After figuring out that this docker registry is not using the latest version(V2) and the endpoints are different from previous ones, I needed to use V1 documentation to access them. Only after that was I able to get some useful response from the server.

I started by querying search API endpoint which reveals that around 80+ images are hosted.That was the good sign.


Next thing was to install docker client on my Ubuntu VM and download those images. The search results show a lot of images, however, I decided to download vinewww just because it looks like public_html. This may contain the Vine source.

sudo docker pull

After the download was complete, I ran docker image vinewww with an interactive shell and got inside the running docker image.

ls in vinewww shows MVC(flask) is used.


I was able to see the entire source code of vine, its API keys and third party keys and secrets. Even running the image without any parameter, was letting me host a replica of VINE locally.


Until next time, keep hacking! ;)

You can find more insightful comments @Reddit/netsec and @Hackernews

PS : Special thanks to @thanmayeerao


March 21,2016 - Bug Reported through Hackerone
March 22,2016 - Need more info
March 31,2016 - Full exploitation shown
March 31,2016 - Bug fixed (within 5 min)
April 2,2016 - $10080 Bounty awarded

Don't learn to hack, hack to learn
Find alle beskeder fra denne bruger
Citer denne besked i et svar
26-07-2016, 05:27
RE: Avicoder - Twitter's Vine Source code dump
$10080 Bounty!!! Måske man skulle finde den hvide hat frem.
Find alle beskeder fra denne bruger
Citer denne besked i et svar
« Ældre | Nyere »

User(s) browsing this thread: 1 Gæst(er)