Thanks to some digging around in the inner workings of Twitter’s video website Vine, white hat hacker avicoder was able to download the entire source code to the popular service.
As he was looking at various ways to breach the website’s security, he found an interesting domain that could recreate a local version of Vine.
This is what happened when he reported the bug through Twitter’s HackerOne bounty program:
- March 21,2016 – Bug Reported through Hackerone
- March 22,2016 – Need more info
- March 31,2016 – Full exploitation shown
- March 31,2016 – Bug fixed (within 5 min)
- April 2,2016 – $10,080 Bounty awarded
Can you hear that sound? That’s the echo of a lot of Twitter developers collectively shitting their pants.
If you’re interested in an in-depth technical explanation of the bug and how it was found, make sure to check out avicoder’s blog post.