Hacker Downloaded VINE entire Source Code

Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.

Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle

Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.

However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.

While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.

Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.

After the download was complete, he ran the docker image vinewww, and Bingo!

The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.

The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.

Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.

Beware ! it could be Malicious to download Pokemon Go Game for Android

"Pokémon Go" has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week.

Nintendo's new location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia.

On an average, users are spending twice the amount of time engaged with the new Pokémon Go app than on apps like Snapchat. In fact Pokémon Go is experiencing massive server overload in just few days of launch.

Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link.

In order to download the APK, users are required to "side-load" the malicious app by modifying their Android core security settings, allowing their device's OS to install apps from "untrusted sources."

Pokémon Go is Installing DroidJack Malware

Security researchers have warned users that many of these online tutorials are linked to malicious versions of the Pokémon Go app that install a backdoor on Android phones, enabling hackers to compromise a user's device completely.

Security firm Proofpoint has discovered the malicious app, or APK, that has been infected withDroidJack – a Remote Access Tool (RAT) that can hack any Android device by opening a silent backdoor for hackers.

Just less than 3 days after Nintendo initially released the game in Australia and New Zealand on July 4, the malicious app was uploaded to an online malware detection repository.

Since Android core security settings normally prevent the installation of untrusted third-party apps from "unknown sources," side-loading should have never been done by a user.

"This is an extremely risky practice and can easily lead users to install malicious apps on their own mobile devices," researchers at Proofpoint wrote in a blog post. "Should an individual download an APK [Android application package] from a third-party that has been infected with a backdoor, like the one we discovered, their device would then be compromised."

Here's How to Prevent Yourself

Fortunately, there are several ways to check if you have downloaded the malicious version of the Pokémon Go app.

The infected version of the Pokémon Go app would have been granted more system permissions, so one way to differ between the two is to compare the permissions of your app to those of the legitimate one.

To do so, Go to the Settings → Apps → Pokemon GO and check the game's permissions.

If you find that the game has asked for permissions like directly call phone numbers, edit and read your SMSes, record audio, read Web history, modify and read your contacts, read and write call logs, and change network connectivity, then you should uninstall the game right away, since it is infected with DroidJack.

You can also compare the game's SHA-1 hash – a long string of characters used to verify if a file was infected with or modified by a malicious third-party – to make sure the game matches the hash of the legitimate version.

The Bottom Line:

Instead of downloading available applications from unknown third party stores, wait for the Pokémon Go app to launch in your country.

However, downloading apps from third parties do not always end up with malware or viruses, but it certainly ups the risk. So, it's the best way to wait in order to avoid compromising your device and the networks it accesses.