A popular WordPress plugin called Social Media Tabs has been quietly exposing the Twitter credentials of users, allowing hackers to take control of blog Twitter accounts. The exploit, discovered by French security researcher Baptiste Robert aka Elliot Alderson, appeared in 539 public WordPress blogs. From TechCrunch:
Using the obtained access tokens, Robert tested their permissions by directing those accounts to ‘favorite’ a tweet of his choosing over a hundred times. This confirmed that the exposed account keys had “read/write” access — effectively giving him, or a malicious hacker, complete control over the Twitter accounts.
These leaked tokens are a perfect and dangerous storm for startups who might be using WordPress as a blog solution and the plugin as a way to spread the word. Alderson's ability to like and and post tweets on a victim's behalf could be a new attack vector for hackers looking to route crypto away from legitimate targets.