An Indian white hat hacker was awarded $10,080 by microblogging site Twitter for pointing out a flaw in the video platform Vine.
With this discovery hacker Avinash Singh, who identified the flaw, was able to access the source code of the service.
The issue was first reported in March. Once the flaw in Vine, which the company has owned since 2012, came to light, it was fixed and Singh was awarded a sum of $10,080.
Singh, whose pseudonym is “avicoder,” said that he had identified 15 bugs on Twitter so far. With regards to the flaw in question, he said he was looking for vulnerabilities with Censys.io, a network scanning search engine, when he found the bug.
Singh saw an address – https://docker.vineapp.com – that caught his attention. The subdomain in the address referred to Docker. It is a startup from the Silicon Valley that, according to Fortune, “creates technology and data center tools that let developers more quickly spin up software applications and share data.”
The servers hosting the data were not protected by any kind of passwords. “If it is supposed to be private, then why is it publicly accessible?” Singh said in his blog post. He searched a little more and subsequently “was able to see the entire source code of vine, its API keys and third party keys and secrets.”
In the last two years, Twitter has paid $322,420 to security researchers for its bug bounty program. The payments are multiples of 140, keeping with the character limit of a Twitter post.
Singh has earned several awards from Twitter’s bug bounty program. Some of the flaws he has identified, as reported by Mashable, include the insecure transmission of media files and storage of usernames and passwords on the Vine Android app along with bugs in Twitter ad campaigns.