Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk)

Posted by BeauHD on from the oops dept.

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."

43 comments

  1. and the award for the most misleading title goes t by Anonymous Coward · · Score: 1

    o... BeauHD!!! Congratulations!

    Although the title says "Vine's Source Code Was Accidentally Made Public For Five Minutes ", the code was available for an indeterminate amount of time, reported as a problem, asked for more info by Twitter, then fixed 5 minutes after proof was shown.

    Here's the real source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/

    Not some shitty summation from the register.

  2. RTFA? by Dan+East · · Score: 1

    RTFA? Don't bother. The entirety of the article is in the summary, for once.

    --
    Better known as 318230.
    1. Re:RTFA? by Anonymous Coward · · Score: 0

      That's why I never read the summary. Don't want to risk accidentally RTFA.

  3. Not even using basic auth? by h4ck7h3p14n37 · · Score: 1

    The Docker Registry deployment instructions specifically walk you through restricting access using basic auth. Did someone not read the instructions, or did they try to get fancy and screw something up?

    1. Re:Not even using basic auth? by Jumunquo · · Score: 1

      It's like those plug-n-play wireless routers back in the day. Who needs instructions when it works out-of-the-box.

    2. Re:Not even using basic auth? by Anonymous Coward · · Score: 0

      It's 2016.

      The hell are API keys and secrets stored in an image, anyway?

    3. Re:Not even using basic auth? by Anonymous Coward · · Score: 0

      Keys should be a separate manually activated download with authentication. Not just to prevent leakage, but to have an audit trail of who's downloading such.

    4. Re:Not even using basic auth? by bluefoxlucid · · Score: 1

      Not even that. The Docker control system (docker-compose, or any of the clustering stuff) should mount keys and configurations as a volume, which you handle through a separate supply chain (which is better-controlled).

      --
      Support my political activism on Patreon.
  4. 10k? by Anonymous Coward · · Score: 0

    That doesn't seem like very much for this kind of problem.

    1. Re:10k? by Anonymous Coward · · Score: 0

      That's about what that code is really worth.

    2. Re:10k? by justthinkit · · Score: 1

      What is the problem? Someone could read the source code for...a six-second video system? What am I missing here? I didn't see any mention of him being to modify and reupload code. Are any credit cards involved? What is the absolute worst thing that could happen? Someone else hosts six-second videos? je ne comprends pas...

      --
      I come here for the love
    3. Re:10k? by mfh · · Score: 1

      Finally truth in an ad revenue site valuation. The code ain't the value.

      --
      The dangers of knowledge trigger emotional distress in human beings.
    4. Re:10k? by Anonymous Coward · · Score: 1

      Please read the summary again, with particular attention to phrases like "its API keys and third party keys and secrets." -PCP

    5. Re:10k? by NotAPK · · Score: 1

      "its API keys and third party keys and secrets." -PCP

      But who cares? That's just an administrative issue.

      Those API keys are their own, yes? So they can just change them and update all of their clients/users.

      If the keys are for other third party services then they can have them reissued - and of course they are probably only talking about some video encoding service as well as the gob loads of advertising 3rd parties, and who cares about them anyway?

      The source code is probably a hodge-podge mish-mash of crap, and anyone would do better writing their own from scratch.

      The only legitimate risk will be that the code probably contains all kinds of stupid backdoors and special features activated by using GET parameters. I know how these kinds of projects are run and they are usually crapper than you can possibly imagine...

    6. Re: 10k? by Anonymous Coward · · Score: 0

      These invaluable services add value to all of our lives though.

  5. take that inb your ass you one eyed assholes by Anonymous Coward · · Score: 0

    good old times when the symbol for anarchy was an A instead of a G. (for example, thanks to Gnome I had an Apache server for 5 minutes too.)

  6. Wrong link? by Hypoon · · Score: 1

    The text of the third link reads "this post", but the target is "https://github.com/vjex", which is not actually a post. The *expected* target (avicoder's original post) is quite possibly the most relevant and useful page to associate with the story, yet that's missing in its entirety.

    I try to cut the editors some slack (typos, incomplete sentences, poor wording/grammar, etc...), but a blatantly false title and a mistargeted link are enough to pull me out of the woodwork.

  7. Re:and the award for the most misleading title goe by Hypoon · · Score: 1

    Agreed, I noticed this immediately. I RTFA (which is practically the same as the summary anyway) just to check. Thanks for the link.

  8. Re: and the award for the most misleading title go by Anonymous Coward · · Score: 0

    No surprise there. I still don't understand why he hasn't been fired yet. My best guess is because he's still slightly better than EditorDavid.

  9. Still a felony under the CFAA by Joe_Dragon · · Score: 1

    Still a felony under the CFAA better get a good lawyer.

  10. Re:and the award for the most misleading title goe by OzPeter · · Score: 3, Funny

    o... BeauHD!!! Congratulations!

    Oh come on now. Don't be so hard on the poor guy. At least this time he didn't add a gratuitous link to something like grape vines of Southern California.

    --
    I am Slashdot. Are you Slashdot as well?
  11. make it public... by e432776 · · Score: 1

    ....for longer and some improvements might ensure!

  12. Why should I care? by Anonymous Coward · · Score: 0

    Why should I care about this Vine code?

  13. In other news by Gumbercules!! · · Score: 1

    I have a new startup everyone should checkout called... umm.. Chime. Yes. Chime. That will do, nicely. It's an innovative app that allows you to upload and share 6 second movies...

    1. Re:In other news by GrandCow · · Score: 1

      Make it seven seconds, take over the world.

      --
      "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  14. Aaannnddd... by Anonymous Coward · · Score: 0

    ... nobody cares!

  15. 5 minutes? That's a lot of vines. by Anonymous Coward · · Score: 0

    That's a lot of 6 second vines to publish the source code, complete with shaky cam effect, background noise and low bitrate to make the source code extra readable.

  16. It was fixed in 5 minutes. by El_Muerte_TDS · · Score: 2

    It was public for a much longer, unknown time.

    1. Re:It was fixed in 5 minutes. by Anonymous Coward · · Score: 0

      Well, open source is good, so what's the problem?

    2. Re: It was fixed in 5 minutes. by Anonymous Coward · · Score: 0

      yeah and fixed means they stopped the docker registry. that's like saying the fire was put out by blowing up the building.

    3. Re:It was fixed in 5 minutes. by Anonymous Coward · · Score: 0

      Open private keys isn't good.

  17. avicoder here.... by Anonymous Coward · · Score: 0

    You guys are really funny....
    LMAO after reading this thread...

    1. Re: avicoder here.... by Anonymous Coward · · Score: 0

      Thanks, man! We here at Slashdot pride ourselves on our humor and meems.

      You should come back and visit when APPS guy, or HOSTS guy or COWS guy shows up. It's a hoot here then!

  18. Re: and the award for the most misleading title go by Anonymous Coward · · Score: 0

    He's the new owner.

  19. Crap Headline and Summary by Fnord666 · · Score: 1

    Vine's Source Code Was Accidentally Made Public For Five Minutes

    Incorrect.

    Twitter's bounty program paid out - US$10,080 - and the problem was fixed in March (within five minutes of him demonstrating the issue).

    Who knows how long the docker container was actually available to the public.

    had its source code made publicly available by a bounty-hunter

    Where did that come from? I saw nothing in the article or the blog post that said the "bounty hunter" made the source code available to anyone.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  20. Re: and the award for the most misleading title go by Anonymous Coward · · Score: 0

    No surprise there. I still don't understand why he hasn't been fired yet. My best guess is because he's still slightly better than EditorDavid.

    Now, now. There's no need to be so harsh on BeauHD. All of the the current 'editors' are equally horrible.

  21. Re: and the award for the most misleading title go by Anonymous Coward · · Score: 0

    No, whipslash is the new owner. Apparently his parents' company bought Slashdot and made him President, and he has less of an idea than Dice did about how to run the site (say what you want about Dice, but they didn't have as many clickbaity headlines and inaccurate or just flat-out wrong summaries).

    Sure, he inherited a trainwreck, but it's been six months, and it doesn't look like it's getting much better.

  22. Re:Crap Headline and Summary - avicoder's reply by Anonymous Coward · · Score: 0

    > Who knows how long the docker container was actually available to the public.

    Images were created around mid January as I also checked the info about them, So I guess it was publicly accessible for 3 months.

  23. 6 seconds is too long by no1nose · · Score: 1

    I think the next gen version will be called Grape and offer tomorrow's children videos that are 1.8 seconds long.

  24. It should have been OPEN SOURCE in the 1st place by Anonymous Coward · · Score: 0

    If it was some big fucking deal it had to be secret you could either:
    1) not give a fuck
    2) walk up to him with a big rock and say give me the source code or I hit you

    Why are people so slow to figure this out.

  25. Re:and the award for the most misleading title goe by mattack2 · · Score: 1

    That's funny, because this page:
    http://www.techinvestornews.co...
    sometimes has non-Apple Inc. related articles on it.
    Their scanner doesn't reject pages well enough. IIRC, they're usually companies in other industries with Apple in the name, not actual produce-related articles. In my very quick skim of the first page right now, I don't see any non-Apple Inc. related articles.

  26. And that's the problem with docker by allo · · Score: 1

    Deploy with one click. But your image contains all your secrets (and outdated libs of course).