Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Drupal Twitter Module Credential Exposure
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Mon, 15 Feb 2010 12:39:14 -0500

Hash: SHA1

The full text of this advisory can also be found at

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules.  The Twitter Module
(http://drupal.org/project/twitter) suffers from potential vulnerability
due to the fact that it could expose stored Twitter account credentials
to theft or exposure.

Systems affected:
- -----------------
Drupal 6.15 with Twitter Module 6.x-2.6 was tested and shown to be

- ------
The Drupal Twitter module handles credentials in an unsafe manner,
allowing anyone with read access to the Drupal database, or with access
to network traffic between the Drupal server and the Twitter API, to
observe the full Twitter username and password for Twitter user
configured through the module.

Mitigating factors:
- -------------------
Twitter module must be installed and configured with user account

Technical discussion and proof of concept:
- ------------------------------------------
The Drupal Twitter contravenes many of the stated Twitter "Secure Best
Practices." (http://apiwiki.twitter.com/Security-Best-Practices)

The module stores Twitter credentials unobscured in the Drupal database.
 Both user specific passwords and the global site Twitter account
credentials are stored.  The global passwords can be found in the Drupal
variable table:

mysql> select * from variable where name like 'twitter_global%';
| name                    | value                    |
| twitter_global_name     | s:16:"Twitter username"; |
| twitter_global_password | s:16:"Twitter password"; |
2 rows in set (0.00 sec)

User specific credentials can be found in the twitter_user table:

mysql> select * from twitter_user;
| uid | screen_name  | password  | import |
|   3 | twitter_name | twit_pass |      1 |
1 row in set (0.00 sec)

The inclusion of the full credentials in the database exposes these
credentials to theft by anyone with read access to the database.  This
includes anyone with sufficient permissions to craft PHP through Drupal,
which is a native function of many of the core and extended third party

Additionally when the module updates a Twitter feed status or verifies
account credentials it utilizes base 64 encoded, but unencrypted
connections, to pass credentials and update status messages rather than
the OAuth facility provided by Twitter

- -- 
Justin C. Klein Keane
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Drupal Twitter Module Credential Exposure Justin C. Klein Keane (Feb 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]