WordPress Plugin Leaked Access Token That Can Hack Twitter Accounts

A popular WordPress social media plugin, Social Network Tabs, connects social media handles to WordPress so that users can display social feeds on their websites. The plugin has now compromised the security of thousands of linked Twitter handles.

The plugin was storing access token of all the twitter accounts that were linked to different WordPress websites in the source code of those sites. These access token are used by the plugin to keep users logged in to their WordPress websites without having to enter passwords or go through the two-factor authentication.

These access tokens and twitter handles can be viewed by anyone who peaks in the source code of those websites. If these tokens are stolen most sites won’t be able to differentiate between the account owner or the hacker.

The vulnerability was discovered by a French security researcher, Baptiste Robert. (You might know her by the name Elliot Alderson). He found 539 websites currently using the vulnerable code by searching PublicWWW.

Robert informed Twitter about the vulnerability and the social media giant notified all the affected users about it as well. We would suggest that any WordPress user still using the plugin should stop using it immediately.

Design Chemicals, the company behind buggy plugin, haven’t yet spoken about the incident. There is no mention about it on the website as well.