,
15 tweets,
6 min read
Read on Twitter
Time for fun! The @WordPress plugin known as Social Network Tabs, made by Design Chemical, combines all of your favorite social networks profiles. Due to their poor coding skills I was able to take over 127 Twitter accounts #0day #infosec github.com/fs0c131y/CVE-2…
This is caused by the following lines of code within the page where the Twitter widget is displayed. Yes, they leak the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user 
Thanks to @publicww, with the following search queries, I managed to retrieve the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites
Because I'm a nice guy, I wrote a small python script to test this api keys. The 1st time I had run this script, 446 keys were valid github.com/fs0c131y/CVE-2…
I was also able to like/retweet the tweet of my choice 127 times aka 127 Twitter api keys had the read write rights.
All the vulnerable websites and Twitter accounts + api keys are available in the Github. It's worth mentioning that there were 2 verified accounts in the list and multiple accounts with more than 10K+ followers. Ofc, all the keys had been desactivated by Twitter
You can call this vulnerability CVE-2018-20555
To sum up:
- People installed this @Wordpress plugin which is leaking their @Twitter API keys
- By getting their keys, an attacker was able to get their info (446 accounts)
- If the key has the read write rights, the attacker was able to take over the account (127 accounts)
- People installed this @Wordpress plugin which is leaking their @Twitter API keys
- By getting their keys, an attacker was able to get their info (446 accounts)
- If the key has the read write rights, the attacker was able to take over the account (127 accounts)
Next time you install a Wordpress plugin think about it!
The story is not finished, an update is coming 😁
Nice article by @zackwhittaker on this vulnerability techcrunch.com/2019/01/17/wor…
This story is not finished.
With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results
With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results
And because I'm a friendly guy, I wrote a scraper to automatically extract the keys from the result of this Google search query. Enjoy! github.com/fs0c131y/CVE-2…
Among the 9 first pages of the results, I managed to retrieved 78 keys (86%).
Next time, you will pay me this bounty @Twitter
Next time, you will pay me this bounty @Twitter
Now I'm can close this thread. Bye
