A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts
A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.
The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens. These access tokens keep you logged in to the website on your phone and your computer without having to re-type your password every time or entering your two-factor authentication code.
But if stolen, most sites can't differentiate between a token used by the account owner, or a hacker who stole the token.
(Score: 3, Insightful) by All Your Lawn Are Belong To Us on Thursday January 17 2019, @02:56PM (2 children)
... Not WordPress. Twitter.
Thereby defeating the purpose of two-factor authentication. Which I'm not always sold on anyways.... Like https, it should depend on the use case whether it should be employed. But to me this is a case of "if you can make an exception to it, then it should always be optional."
This sig for rent.
(Score: 0, Interesting) by Anonymous Coward on Thursday January 17 2019, @06:13PM (1 child)
You seem to misunderstand what a "cookie" is and how it's used by all HTTPS websites to keep you logged in across requests. Same shit with this token (ie. key). maybe it's also "defective by design" and you want each request to be confirmed with password/OTP?
(Score: 2) by All Your Lawn Are Belong To Us on Thursday January 17 2019, @11:51PM
Yes. That would be nice. [/sarcasm]
No, I fully understand what a cookie is. API Tokens aren't cookies, though they can be imbued with similar functionality. But yep, let's say I bought into your understanding. Then it STILL would be a violation of what OTP's and 2FA's are supposed to do over any significant length of time. By design. Cookies, too, if they are used in combination with 2FA also defeat the point of 2FA for whatever range of time it's good for, if I can then take over your account WITHOUT the 2FA device present.
But again, these aren't cookies. They are API Tokens.... and if they can be compromised and bypass the 2FA process (from TFA, in case you aren't reading).... then they defeat the purpose of 2FA even when being used properly. Mmmkay?
This sig for rent.
(Score: 0) by Anonymous Coward on Thursday January 17 2019, @05:07PM
i was feeling sympathetic at first while reading, thinking "poor bastards it must be hard to think of everything and with so many eyes on your code they are bound to find something..." then i read " account access tokens in the source code". lmao.
(Score: 3, Insightful) by Thexalon on Thursday January 17 2019, @06:18PM
Automated cross-account authentication from one Internet-connected application to another is fraught with danger, and should not be used for anything important.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Thursday January 17 2019, @06:58PM (1 child)
pile of junk
(Score: 0) by Anonymous Coward on Thursday January 17 2019, @11:03PM
0auth.com is a train wreck waiting to happen.
One good exploit will net millions of accounts on hundreds of thousands of sites.