Social networking platform Twitter recently awarded $10,080 to Indian-born White Hat hacker Avinash Singh who was able to point out a security loophole in the company's video-sharing service called Vine. The flaw discovered by Singh allowed him to access the entire cache of Vine's online code.
Singh first reported the flaw in March. Twitter awarded Singh the purse via a bug bounty startup called HackerOne. While the purse of $10,080 seems a little odd, it is noted that Twitter pay bug bounty rewards in amounts divisible by $140 as a nod to the platform's 140-character limit.
According to the Fortune, Singh discovered a Docker image for Vine while he was looking for security flaws using the censys.io. For the uninitiated, Docker is an open digital platform used by system administrators and developers. The platform is an outlet where users can post codes and libraries that are used or required to build an application.
Vine's cache was stored as part of a Docker image. It was hosted on Amazon Web Services and should have been private. However, the image was tagged public and through clever use of Censys, Singh was able to get his hands on the Docker image.
Singh later shared on his blog that he was able to access the entire code of Vine, its API keys, its third-party keys, and some sensitive information. He added, "Even running the image without any parameters was letting me host a replica of Vine locally."
According to Times of India, Singh reported the vulnerability on March 31 and Twitter engineers were able to patch the issue within five minutes. Singh started his bug bounty hunter career in 2015, and since then he was able to report around 20 bugs to Twitter. When asked why he chose Twitter, he said that the company fixes problems and pays up quickly.