The popular WordPress plugin, Social Network Tabs, which has been downloaded over 53.000 times in the past 7 years and is used to help users share content on social media sites, left thousands of linked Twitter accounts exposed to compromise.
This became apparant when it became known that the popular Social Network Tabs plugin stores account access tokens in the source code of WordPress websites.
Access tokens
Access tokens ensure that you stay logged in on your computer or smartphone on a website. This saves time because users do not have to type their password or two-factor authentication code again and again to log in. Because the access tokens of linked Twitter handles were stored in the source code of the website, they were easily visible to anyone who had access to the source code. This situation was compounded because most sites are unable to distinguish a stolen token from a token used by the owner of the account.
Discovery
The bug was discovered by the French security researcher Baptiste Robert (also known under his pseudonym Elliot Alderson), who shared his findings with TechCrunch. He conducted a test in which he managed to retrieve access tokens of more than 400 linked Twitter accounts. He also concluded that the obtained tokens granted him “read / write” access; he was able to mark a random tweet multiple times from the linked Twitter accounts as a favorite. In other words, a hacker could very easily gain access to such a linked Twitter profile, and be able to do everything he wanted with it.
On 1 December Robert also informed Twitter about the vulnerability in the Social Network Tabs plugin. He requested the platform to invalidate the access tokens, which would make the accounts safe again. Twitter sent an e-mail about the issue to affected users:
“Every WordPress user who has installed this plugin is asked to remove it, reset their Twitter password and invalidate the access token by removing the application from Twitters apps.”
Social Network Tabs plugin still in use
Design Chemical, the software developer responsible for making the plugin, refused to respond to the situation. It appears that the plugin is currently still pretty popular – until recently, Social Network Tabs was downloaded by several people every day, while the plugin was last updated in 2013.
CodeCanyon has now removed the plugin. WordPress users who still use the plugin are recommended to remove it immediately and to find an alternative, such as the Social Warfare plugin.
