Malicious Wordpress Plugin Causes the Security of Countless Twitter Handles to be Compromised

Several Twitter accounts were rendered prone to hack attacks after a popular WordPress plugin, Social Network Tabs, installed on a huge number of websites was revealed to be storing supposed account access tokens in the Wordpress website’s source code.

If you are not familiar with how the access tokens work, they keep you signed in to the website either on your computer or phone. This saves time as the user doesn’t have to retype their passwords or enter a two-factor authentication code every time they choose to log in. The storage of these access tokens of linked Twitter handles, in the source code of the website made them easily viewable for anyone who had access to the source code.

It should also be noted that most sites are unable to differentiate a stolen token from a token used by the account owner.

It wasn’t until Baptiste Robert (a French security researcher known by his online handle, Elliot Alderson) discovered the bug and shared his findings with TechCrunch. He conducted a test where he managed to retrieve access tokens of over 400 linked Twitter accounts. He also concluded that the exposed tokens had “read/write” access, as he was able to “favorite” a tweet of his choosing several times from the linked Twitter accounts. Thus, a hacker could have easily gained access to any such linked profile. Not only unverified but a number of verified Twitter accounts were among the affected ones. The vulnerability was assigned “CVE-2018-20555” by MITRE.

Robert/Elliot also informed Twitter on December 1 of the plugin’s vulnerability, encouraging the platform to invalidate the keys, which in turn rendered the accounts safe again. Although Twitter refused to comment on the situation, it sent an email to the affected users about it.
Related: Is Twitter allowing the ad promotion of PayPal phishing scams on its platform?
Any WordPress user, who has this plugin installed is hereby asked to uninstall it, reset their Twitter password and make sure to invalidate the access token by removing the application from Twitter’s connected apps.

Design Chemical, the software house responsible for developing the malicious plugin, also refused to comment on the situation.

Moreover, it seems as the plug-in is still quite popular with the users as it still gets over a dozen of downloads every day and has been downloaded for over 53,000 times in the last 7 years.

Social Network Tabs - a popular WordPress plugin leaked data capable of hijacking Twitter accounts
Previous Post Next Post