Buggy WordPress plugin can steal Twitter credentials

Hacks • January 17, 2019, 9:13AM EST

Partner offers

A popular WordPress plugin called Social Media Tabs has been quietly exposing the Twitter credentials of users, allowing hackers to take control of blog Twitter accounts. The exploit, discovered by French security researcher Baptiste Robert aka Elliot Alderson, appeared in 539 public WordPress blogs. From TechCrunch:

Using the obtained access tokens, Robert tested their permissions by directing those accounts to ‘favorite’ a tweet of his choosing over a hundred times. This confirmed that the exposed account keys had “read/write” access — effectively giving him, or a malicious hacker, complete control over the Twitter accounts.

These leaked tokens are a perfect and dangerous storm for startups who might be using WordPress as a blog solution and the plugin as a way to spread the word. Alderson's ability to like and and post tweets on a victim's behalf could be a new attack vector for hackers looking to route crypto away from legitimate targets.

AUTHOR

John Biggs

John Biggs is an entrepreneur, consultant, writer, and maker. He spent fifteen years as an editor for Gizmodo, CrunchGear, and TechCrunch and has a deep background in hardware startups, 3D printing, and blockchain. His work has appeared in Men’s Health, Wired, and the New York Times. He runs the Technotopia podcast about a better future. He has written five books including the best book on blogging, Bloggers Boot Camp, and a book about the most expensive timepiece ever made, Marie Antoinette’s Watch. He lives in Brooklyn, New York. Disclosure: Biggs owns and maintains cryptocurrencies in a private account and has been consulting with startups regarding blockchain-based products. He also edits and writes for startup clients.

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News

Connect with the block on

More by John Biggs

A wild ICO solution appeared on Microsoft's Azure cloud platform

February 23, 2019, 12:34PM EST

ICO and IEO

Facebook pulls privacy-invading VPN tool

February 23, 2019, 3:18AM EST

Hacks

Latest Crypto News

Block positioned to ride rising demand for on-demand liquidity in fintech apps: analysts

The Daily: Bitcoin briefly dips below $90K, Mt. Gox moves nearly $1B in BTC, Cloudflare outage hits crypto sites, and more

Uniswap weighs protocol burns as its 2025 fee haul approaches $1 billion

Ethereum Foundation reveals latest work on 'Interop Layer' to make L2 ecosystem 'feel like one chain'