It took Twitter five minutes to fix a critical security flaw that would have allowed an attacker to download Vine's entire source code from its servers.
Security researcher Avicoder is the one who discovered this issue, which he reported to Twitter on March 31.
At the core of this issue resides an insecure Docker setup used by Twitter's staff to manage Vine's content.
Internet-available Docker installation exposes Vine source code
Docker is an open platform for managing server images, building, shipping and managing applications. Docker can be used to deploy OS images for laptops, VMs, or cloud servers alike.
Usually, Docker installations are not publicly accessible, due to the sensitive nature of the content they handle. Twitter's Docker installation was, and that allowed Avicoder to probe around to see what he could discover.
Even worse, Twitter wasn't running the latest version of Docker (v2), but an older API, v1. Leveraging the Docker API ...