Vulners
Lucene search
WordPress Social-Stream 1.6.0 Twitter API Secret Disclosure
`Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Keys
CWE-522 :Insufficiently Protected Credentials
Products:
Wordpress Social Stream
Versions 1.6.0 and lower
https://codecanyon.net/item/wordpress-social-stream/2201708
Social Network Tabs
Versions 1.7.4 and lower
https://codecanyon.net/item/social-network-tabs-for-wordpress/1982987
Fix:
Wordpress Social Stream, V 1.6.1
https://codecanyon.net/item/wordpress-social-stream/2201708
"WordPress Social Stream will combine all of your social network feeds into one
single network stream or create a single feed for multiple social
network profiles."
A weakness exists in the Wordpress plugin Social-Stream which exposes all four
Twitter API keys as parameters of a URL link on the webpage in which
the plugin widget
is rendered.
consumer_key
consumer_secret
oauth_access_token
oauth_access_token_secret
When the end user places the code in their HTML to embed a Twitter Stream feed,
it calls the file dcwp_twitter.php, where the Twitter API keys are stored.
Those keys are set as a variable, then are incorrectly echo'd onto the webpage.
===============================================================================
$auth = new dcwss_TwitterOAuth($consumer_key,$consumer_secret,$oauth_access_token,$oauth_access_token_secret);
$get = $auth->get( $rest, $params );
//print_r($get->errors);
} else {
echo $get;
}
===============================================================================
The full and clear text URL is exposed similar to this:
http://example.com/wp-content/plugins/wordpress-social-stream/inc/dcwp_twitter.php?1=consumer_key&2=consumer_secret&3=access_key&4=access_secret
Google Dork
https://www.google.com/search?num=100&q=dcwp_twitter+text&filter=0
Fix:
The vendor has issued a patch for the Wordpress Social Stream, V 1.6.1
available here:
https://codecanyon.net/item/wordpress-social-stream/2201708
It is not known whether a patch has been issued for Social Network Tabs plugin.
An important note, the keys will remain good even after the patch,
until the end user revokes the original keys and issues a new set.
Changing one's password will not mitigate this problem, however
setting the app to be read only in Twitter will mitigate an attackers
ability to post tweets or change profile pictures as them.
------------------------------------------------------------------------------
Timeline:
Vendor notified on 04/01/2017
Fix Complete on 04/06/2017
Disclosure Public 05/21/2017
Contact: Kyle Lovett [email protected]
------------------------------------------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2017 00:00Current
7.4High risk
Vulners AI Score7.4