Support » Plugins and Hacks » [Plugin: WordTwit] Suspicious Code base64_decode ( 'ZGVma

[Plugin: WordTwit] Suspicious Code base64_decode ( 'ZGVma

  • I have found suspicious looking code on line 351 inside the wordtwit/include/oauth-twitter.php as follows:

    eval( base64_decode( ‘ZGVmaW5lKCAnV09SRFRXSVRfT0FVVEhfQ09OU1VNRVJfU0VDUkVUJywgJ0cxWkVTQjVXUGpDVDE4dVhDeldxNVZxbHBtdDdKanNVYVN0ZG5Gd3dhdycgKTs=’ ) );

    To me, this looks suspicious. Please confirm that this is part of your original coding and why you chose to make it this way.

    Note: This is from a fresh download as of today from wordpress.org plugin page.


Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Duane Storey


    Yes, it’s by design. It represents the OAuth token secret. Ideally it’s kept secret, but since that’s not possible in a PHP plugin the best we can do is obfuscate it, which is what’s done there.

    You should be aware that the obfuscation not only doesn’t solve the problem of it being a secret, but the way it is written causes problems in some setups. Break it into two lines… the base64_decode() returned to a string. The string then eval()’d.

    This works in our environment where the current way does not. I know it’s weird. But trust me…

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: WordTwit] Suspicious Code base64_decode ( 'ZGVma’ is closed to new replies.