RICK REA: Helping You Grow Through Online Marketing
  • Home
  • Blog
    • Social Media News
    • SEO Marketing News
    • Digital Trends News
    • Photography News
    • Mobile Marketing
    • Business News
    • Gadget News
    • Printing News
  • Contact
  • About
  • Subscribe


A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts

1/17/2019

0 Comments

 
https://tcrn.ch/2Hhkwv4

A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts

https://tcrn.ch/2APVcXn

A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.

The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens. These access tokens keep you logged in to the website on your phone and your computer without having to re-type your password every time or entering your two-factor authentication code.

But if stolen, most sites can’t differentiate between a token used by the account owner, or a hacker who stole the token.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the vulnerability and shared details with TechCrunch.

In order to test the bug, Robert found 539 websites using the vulnerable code by searching PublicWWW, a website source code search engine. He then wrote a proof-of-concept script that scraped the publicly available code from the affected websites, collecting access tokens on more than than 400 linked Twitter accounts.

Using the obtained access tokens, Robert tested their permissions by directing those accounts to ‘favorite’ a tweet of his choosing over a hundred times. This confirmed that the exposed account keys had “read/write” access — effectively giving him, or a malicious hacker, complete control over the Twitter accounts.

Among the vulnerable accounts included a couple of verified Twitter users and several accounts with tens of thousands of followers, a Florida sheriff’s office, a casino in Oklahoma, an outdoor music venue in Cincinnati, and more.

Robert told Twitter on December 1 of the vulnerability in the third-part plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin, but did not comment on the record when reached.

Twitter did its part — what little it could do when the security issue is out of its hands. Any WordPress user still using the plugin should remove it immediately, change their Twitter password, and ensure that the app is removed from Twitter’s connected apps to invalidate the token.

Design Chemical, a Bangkok-based software house that developed the buggy plugin, did not return a request for comment when contacted prior to publication.

On its website, it says the seven-year plugin has been downloaded more than 53,000 times. The plugin, last updated in 2013, still gets dozens of downloads each day.

MITRE assigned the vulnerability CVE-2018-20555. It’s the second bug Robert has disclosed in as many days.

Researcher shows how popular app ES File Explorer exposes Android device data





Social Media

via Twitter – TechCrunch https://techcrunch.com

January 17, 2019 at 05:13AM

0 Comments



Leave a Reply.


    Amazing WeightLoss

    Click Here!

    Categories

    All
    Analyze Top Competitors
    Anti-Abuse
    Apple
    Apple Watch
    Blog Posts
    Brainstorm
    Brand Awareness
    Communications
    Content Marketing
    Conversion Rates
    Editorial Calendar Tips
    Engagement
    Facebook
    Google Analytics
    How To Marketing Tips
    Influencer
    Instagram
    Instagram Live
    Keyword Search
    Marketing
    Marketing Automation
    Picture Quotes
    Podcasts
    Recording Videos
    Repurpose Blogs
    Research Trends
    Sales Funnel
    SEO Marketing
    Sharing Posts
    Slide Shows
    Smartwatch
    Social Media Marketing
    Social Media News
    Social Media Tools
    Social Selling
    Target Marketing
    Twitter
    Twitter Notifications
    User Interaction
    Video
    Video Marketing

    Archives

    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017

    RSS Feed

All content copyrighted (C) 2010 ~ 2020
​All Photos & Content Used Under Creative Commons
​www.RickRea.com 701-200-7831
Privacy Policy
  • Home
  • Blog
    • Social Media News
    • SEO Marketing News
    • Digital Trends News
    • Photography News
    • Mobile Marketing
    • Business News
    • Gadget News
    • Printing News
  • Contact
  • About
  • Subscribe