Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk)

Posted by BeauHD on from the oops dept.

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."

21 of 43 comments (clear)

  1. and the award for the most misleading title goes t by Anonymous Coward · · Score: 1

    o... BeauHD!!! Congratulations!

    Although the title says "Vine's Source Code Was Accidentally Made Public For Five Minutes ", the code was available for an indeterminate amount of time, reported as a problem, asked for more info by Twitter, then fixed 5 minutes after proof was shown.

    Here's the real source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/

    Not some shitty summation from the register.

  2. RTFA? by Dan+East · · Score: 1

    RTFA? Don't bother. The entirety of the article is in the summary, for once.

    --
    Better known as 318230.
  3. Not even using basic auth? by h4ck7h3p14n37 · · Score: 1

    The Docker Registry deployment instructions specifically walk you through restricting access using basic auth. Did someone not read the instructions, or did they try to get fancy and screw something up?

    1. Re:Not even using basic auth? by Jumunquo · · Score: 1

      It's like those plug-n-play wireless routers back in the day. Who needs instructions when it works out-of-the-box.

    2. Re:Not even using basic auth? by bluefoxlucid · · Score: 1

      Not even that. The Docker control system (docker-compose, or any of the clustering stuff) should mount keys and configurations as a volume, which you handle through a separate supply chain (which is better-controlled).

      --
      Support my political activism on Patreon.
  4. Wrong link? by Hypoon · · Score: 1

    The text of the third link reads "this post", but the target is "https://github.com/vjex", which is not actually a post. The *expected* target (avicoder's original post) is quite possibly the most relevant and useful page to associate with the story, yet that's missing in its entirety.

    I try to cut the editors some slack (typos, incomplete sentences, poor wording/grammar, etc...), but a blatantly false title and a mistargeted link are enough to pull me out of the woodwork.

  5. Re:and the award for the most misleading title goe by Hypoon · · Score: 1

    Agreed, I noticed this immediately. I RTFA (which is practically the same as the summary anyway) just to check. Thanks for the link.

  6. Still a felony under the CFAA by Joe_Dragon · · Score: 1

    Still a felony under the CFAA better get a good lawyer.

  7. Re:10k? by justthinkit · · Score: 1

    What is the problem? Someone could read the source code for...a six-second video system? What am I missing here? I didn't see any mention of him being to modify and reupload code. Are any credit cards involved? What is the absolute worst thing that could happen? Someone else hosts six-second videos? je ne comprends pas...

    --
    I come here for the love
  8. Re:and the award for the most misleading title goe by OzPeter · · Score: 3, Funny

    o... BeauHD!!! Congratulations!

    Oh come on now. Don't be so hard on the poor guy. At least this time he didn't add a gratuitous link to something like grape vines of Southern California.

    --
    I am Slashdot. Are you Slashdot as well?
  9. make it public... by e432776 · · Score: 1

    ....for longer and some improvements might ensure!

  10. In other news by Gumbercules!! · · Score: 1

    I have a new startup everyone should checkout called... umm.. Chime. Yes. Chime. That will do, nicely. It's an innovative app that allows you to upload and share 6 second movies...

    1. Re:In other news by GrandCow · · Score: 1

      Make it seven seconds, take over the world.

      --
      "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  11. Re:10k? by mfh · · Score: 1

    Finally truth in an ad revenue site valuation. The code ain't the value.

    --
    The dangers of knowledge trigger emotional distress in human beings.
  12. Re:10k? by Anonymous Coward · · Score: 1

    Please read the summary again, with particular attention to phrases like "its API keys and third party keys and secrets." -PCP

  13. It was fixed in 5 minutes. by El_Muerte_TDS · · Score: 2

    It was public for a much longer, unknown time.

  14. Re:10k? by NotAPK · · Score: 1

    "its API keys and third party keys and secrets." -PCP

    But who cares? That's just an administrative issue.

    Those API keys are their own, yes? So they can just change them and update all of their clients/users.

    If the keys are for other third party services then they can have them reissued - and of course they are probably only talking about some video encoding service as well as the gob loads of advertising 3rd parties, and who cares about them anyway?

    The source code is probably a hodge-podge mish-mash of crap, and anyone would do better writing their own from scratch.

    The only legitimate risk will be that the code probably contains all kinds of stupid backdoors and special features activated by using GET parameters. I know how these kinds of projects are run and they are usually crapper than you can possibly imagine...

  15. Crap Headline and Summary by Fnord666 · · Score: 1

    Vine's Source Code Was Accidentally Made Public For Five Minutes

    Incorrect.

    Twitter's bounty program paid out - US$10,080 - and the problem was fixed in March (within five minutes of him demonstrating the issue).

    Who knows how long the docker container was actually available to the public.

    had its source code made publicly available by a bounty-hunter

    Where did that come from? I saw nothing in the article or the blog post that said the "bounty hunter" made the source code available to anyone.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  16. 6 seconds is too long by no1nose · · Score: 1

    I think the next gen version will be called Grape and offer tomorrow's children videos that are 1.8 seconds long.

  17. Re:and the award for the most misleading title goe by mattack2 · · Score: 1

    That's funny, because this page:
    http://www.techinvestornews.co...
    sometimes has non-Apple Inc. related articles on it.
    Their scanner doesn't reject pages well enough. IIRC, they're usually companies in other industries with Apple in the name, not actual produce-related articles. In my very quick skim of the first page right now, I don't see any non-Apple Inc. related articles.

  18. And that's the problem with docker by allo · · Score: 1

    Deploy with one click. But your image contains all your secrets (and outdated libs of course).