back to article Oops: Bounty-hunter found Vine's source code in plain sight

A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012. According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn' …

  1. Awil Onmearse
    WTF?

    Wait a minute.

    People who have "API-keys and secrets" in their code?

    Note to self: Really sorry to have missed out on that investment.

    1. Richard 22

      Re: Wait a minute.

      The article doesn't say the keys are in the code - it says that the keys are in the docker image. Even if they weren't in the image they would have to be available to the image, and in this case you'd have full control over it.

      1. P. Lee

        Re: Wait a minute.

        I'm not sure there's that much difference between storing the keys in the code and storing the keys in the deployment image...

      2. Crazy Operations Guy

        Re: Wait a minute.

        " Even if they weren't in the image they would have to be available to the image, and in this case you'd have full control over it. "

        I suppose that could be fixed by putting the keys and secrets into a shared DB table so that you'd at least need access to the their private network, maybe authenticate using a certificate for additional security. Plus would make it easier to update the keys if they got leaked, or just changing them routinely as procedure.

        1. Brewster's Angle Grinder Silver badge
          Facepalm

          Turtles all the way down

          And how would the image authenticate itself to the DB? Would it perhaps need some sort of key or secret?

    2. kmac499

      Re: Wait a minute.

      Sounds like a really good argument for any company with genuine crown jewel code and IP, to have a private GitHub and Docker Hub. even if that private hub is hosted on a cloud platform.

    3. Brewster's Angle Grinder Silver badge

      Re: Wait a minute.

      The clue is in the name: it's an API key. You need it to access the API.

  2. Pascal Monett Silver badge

    "the problem was fixed in March"

    So they were notified and fixed the issue really fast.

    Good.

    Now can we have the assurance that no unauthorized access took place before it was outed ?

    1. Alistair
      Coat

      Re: "the problem was fixed in March"

      @Pascal:

      That request must be made through the correct API. *cough*

    2. collinsl Bronze badge

      Re: "the problem was fixed in March"

      The question is how many people/bots stumbled over it in the 5 minutes it was allegedly open?

      If this guy managed it by accident I'd think at least 10-20 bots found it and scraped everything they could.

      1. AndyS

        Re: "the problem was fixed in March"

        It was closed within 5 minutes of him notifying them - who knows how long it was open for.

        And presumably, since this all happened 4 months ago (meaning by now the source code is likely out of date, and keys were presumably changed asap after discovery), and since this is the first time I've seen it reported, you'd have to assume no real damage was done.

        Which means the bug bounty worked as planned.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like