A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts
A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.
The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens. These access tokens keep you logged in to the website on your phone and your computer without having to re-type your password every time or entering your two-factor authentication code.
But if stolen, most sites can't differentiate between a token used by the account owner, or a hacker who stole the token.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday January 17 2019, @11:51PM
Yes. That would be nice. [/sarcasm]
No, I fully understand what a cookie is. API Tokens aren't cookies, though they can be imbued with similar functionality. But yep, let's say I bought into your understanding. Then it STILL would be a violation of what OTP's and 2FA's are supposed to do over any significant length of time. By design. Cookies, too, if they are used in combination with 2FA also defeat the point of 2FA for whatever range of time it's good for, if I can then take over your account WITHOUT the 2FA device present.
But again, these aren't cookies. They are API Tokens.... and if they can be compromised and bypass the 2FA process (from TFA, in case you aren't reading).... then they defeat the purpose of 2FA even when being used properly. Mmmkay?
This sig for rent.