Buggy WordPress plugin can steal Twitter credentials

Hacks • January 17, 2019, 9:13AM EST

A popular WordPress plugin called Social Media Tabs has been quietly exposing the Twitter credentials of users, allowing hackers to take control of blog Twitter accounts. The exploit, discovered by French security researcher Baptiste Robert aka Elliot Alderson, appeared in 539 public WordPress blogs. From TechCrunch:

Using the obtained access tokens, Robert tested their permissions by directing those accounts to ‘favorite’ a tweet of his choosing over a hundred times. This confirmed that the exposed account keys had “read/write” access — effectively giving him, or a malicious hacker, complete control over the Twitter accounts.

These leaked tokens are a perfect and dangerous storm for startups who might be using WordPress as a blog solution and the plugin as a way to spread the word. Alderson's ability to like and and post tweets on a victim's behalf could be a new attack vector for hackers looking to route crypto away from legitimate targets.

About Author

John Biggs is an entrepreneur, consultant, writer, and maker. He spent fifteen years as an editor for Gizmodo, CrunchGear, and TechCrunch and has a deep background in hardware startups, 3D printing, and blockchain. His work has appeared in Men’s Health, Wired, and the New York Times. He runs the Technotopia podcast about a better future. He has written five books including the best book on blogging, Bloggers Boot Camp, and a book about the most expensive timepiece ever made, Marie Antoinette’s Watch. He lives in Brooklyn, New York. Disclosure: Biggs owns and maintains cryptocurrencies in a private account and has been consulting with startups regarding blockchain-based products. He also edits and writes for startup clients.