Twitter has awarded an Indian white-hat hacker $10,080 (Rs 6,80,000) for discovering a security flaw in Vine, its short-form video platform. The hacker, Avinash Singh, was able to use the exploit to access the service’s source code.
Singh reported the issue to Twitter in March. Soon after, the company fixed the flaw and gave him a reward of $10,080 through the bug bounty startup HackerOne.
Singh, who goes by the pseudonym “avicoder,” says he has hunted down 15 bugs in Twitter so far. He found this particular security hole while investigating vulnerabilities with Censys.io, a network-scanning search engine. He discovered that he was able to download Vine’s entire source code through a public docker image.
“I was able to see the entire source code of Vine, its API keys and third-party keys and secrets,” Singh wrote on his blog. “Even running the image without any parameter, was letting me host a replica of Vine locally.” In other words, Singh was able to create a perfect copy of Vine, something nefarious actors could use to phish users.
Singh has received several rewards from Twitter’s bug-bounty program in the past. He has unearthed vulnerabilities such as the insecure transmission of media files and storage of usernames and passwords on the Vine Android app as well as vulnerabilities in Twitter’ ad campaigns.
Earlier this year, Twitter revealed it had paid $322,420 as part of its bug-bounty program to security researchers in the last two years, with an average payout of $835. Its payouts range from $140 to $12,040 and are always in multiples of 140, in keeping with its character platform. Twitter only allows bugs to be publicly disclosed after they’ve been fixed.
“I started participating in various VRPs in 2015 and have been very active since then,” Singh writes. “Especially in the Twitter bug-bounty program since their response is quick and they release bounty as soon as the bug is triaged.”
India also tops the list of 127 countries that participated in Facebook’s bug-bounty program, with the highest number of security researchers and the the most paid bounties, amounting to Rs 48.4 million ($718,400).