Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Keys CWE-522 :Insufficiently Protected Credentials Products: Wordpress Social Stream Versions 1.6.0 and lower https://codecanyon.net/item/wordpress-social-stream/2201708 Social Network Tabs Versions 1.7.4 and lower https://codecanyon.net/item/social-network-tabs-for-wordpress/1982987 Fix: Wordpress Social Stream, V 1.6.1 https://codecanyon.net/item/wordpress-social-stream/2201708 "WordPress Social Stream will combine all of your social network feeds into one single network stream or create a single feed for multiple social network profiles." A weakness exists in the Wordpress plugin Social-Stream which exposes all four Twitter API keys as parameters of a URL link on the webpage in which the plugin widget is rendered. consumer_key consumer_secret oauth_access_token oauth_access_token_secret When the end user places the code in their HTML to embed a Twitter Stream feed, it calls the file dcwp_twitter.php, where the Twitter API keys are stored. Those keys are set as a variable, then are incorrectly echo'd onto the webpage. =============================================================================== $auth = new dcwss_TwitterOAuth($consumer_key,$consumer_secret,$oauth_access_token,$oauth_access_token_secret); $get = $auth->get( $rest, $params ); //print_r($get->errors); } else { echo $get; } =============================================================================== The full and clear text URL is exposed similar to this: http://example.com/wp-content/plugins/wordpress-social-stream/inc/dcwp_twitter.php?1=consumer_key&2=consumer_secret&3=access_key&4=access_secret Google Dork https://www.google.com/search?num=100&q=dcwp_twitter+text&filter=0 Fix: The vendor has issued a patch for the Wordpress Social Stream, V 1.6.1 available here: https://codecanyon.net/item/wordpress-social-stream/2201708 It is not known whether a patch has been issued for Social Network Tabs plugin. An important note, the keys will remain good even after the patch, until the end user revokes the original keys and issues a new set. Changing one's password will not mitigate this problem, however setting the app to be read only in Twitter will mitigate an attackers ability to post tweets or change profile pictures as them. ------------------------------------------------------------------------------ Timeline: Vendor notified on 04/01/2017 Fix Complete on 04/06/2017 Disclosure Public 05/21/2017 Contact: Kyle Lovett krlovett@gmail.com ------------------------------------------------------------------------------