A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts

TechCrunch | 1/17/2019 | Staff
Matty123 (Posted by) Level 3
Click For Photo: https://techcrunch.com/wp-content/uploads/2019/01/GettyImages-868706106.jpg?w=602

A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.

The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens. These access tokens keep you logged in to the website on your phone and your computer without having to re-type your password every time or entering your two-factor authentication code.

Sites - Token - Account - Owner - Hacker

But if stolen, most sites can’t differentiate between a token used by the account owner, or a hacker who stole the token.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the vulnerability and shared details with TechCrunch.

Order - Bug - Robert - Websites - Code

In order to test the bug, Robert found 539 websites using the vulnerable code by searching PublicWWW, a website source code search engine. He then wrote a proof-of-concept script that scraped the publicly available code from the affected websites, collecting access tokens on more than than 400 linked Twitter accounts.

Using the obtained access tokens, Robert tested their permissions by directing those accounts to ‘favorite’ a tweet of his choosing over a hundred times. This confirmed that the exposed account keys had...
(Excerpt) Read more at: TechCrunch
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!