A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012.
According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry.
docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request.
After that it's all too easy: the
docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it.
“I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.”
The code included “API keys, third party keys and secrets”, he writes.
Twitter's bounty program paid out – US$10,080 – and the problem was fixed in March (within five minutes of him demonstrating the issue).
The incident is probably a salutary reminder to other Docker users to check they've secured their images. ®