If You Have Used This WordPress Plugin, You Must Change Your Twitter Password ASAP!

A WordPress Plugin Leaks Access Tokens

Software applications, websites, and online platforms should be living, breathing things. If they are to survive, they need to be updated and adapted to the different things the internet throws at them every day. Leave them dormant, and sooner or later, they will be causing you or other people a great deal of trouble. A French researcher who goes by the Twitter handle @fs0c131y showed us just how big of a problem old software could be.

What is Social Media Tabs?

He found a security hole in Social Media Tabs, a WordPress plugin that was first released in 2012. Social Media Tabs is designed to integrate small tabs into a WordPress website that showcase the owner's social media feeds when the user clicks on them. Upon release, Social Media Tabs received some positive reviews, and over the following months, Design Chemical, the Hong Kong-based company that developed it, pushed a few new features. According to the changelog, however, development seized in August 2013.

What did Social Media Tabs do wrong?

Needless to say, in order to display your tweets and posts, the plugin has to have access to your social media accounts. On these pages, we have discussed examples that show us how careful you have to be when you're giving a piece of software access to your data, but it's clear that most people don't take the problem seriously at all, especially when something seemingly harmless like a WordPress plugin is involved. This, as you'll see right now, is a big mistake.

In the case of Social Network Tabs, the problem was rooted in the way the plugin stored its access tokens for Twitter – the tokens that let users see all the tweets. For some reason, the access tokens, alongside the profile handle were visible from the page's source code. And the source code, as we all know, is always a couple of clicks away.

According to TechCrunch's Zack Whittaker, although Social Media Tabs isn't actively developed at the moment, it still manages to rack up a significant number of downloads. Indeed, when @fs0c131y first noticed the blunder, he did a scan and found just under 540 vulnerable websites.

He then wrote a proof-of-concept script that ran through the aforementioned websites and scraped the exposed data. A few minutes later, he had the access tokens of more than 400 Twitter accounts, but he was curious to find out what sort of mischief he could do with them. He picked a tweet and used the tokens to "like" it more than 100 times which ensured him that he has read/write access. Some of the accounts were pretty much forgotten, though at the time of the research, a few did post some rather strange tweets. Not all affected profiles were dormant. There were a couple of verified accounts, and quite a few had thousands of followers. In other words, an exploit of the fault could have had serious consequences.

On December 1, @fs0c131y notified Twitter, and the offending access tokens were promptly revoked. Yesterday, however, shortly after the vulnerability was brought to the public's attention, @fs0c131y revealed that using Google, you can find more vulnerable websites and accounts. Hopefully, the issue will be addressed as quickly as possible.

What do you need to do?

If you haven't used Social Media Tabs, your Twitter profile is (theoretically at least) safe. This whole thing should be a lesson for everyone, though. Make sure you know which apps have access to your social network accounts, and if you have old WordPress plugins reading your feeds, at least try to make sure that they receive proper care by developers.

As for the people that did use Social Media Tabs, the plugin is no longer active, so you can feel free to remove it from your website. You must also make sure that it's disconnected from your social media profiles, though. And although there's no information of your profile being exposed, you should probably consider changing it out of an abundance of caution.

January 18, 2019

Leave a Reply