WordPress iOS app leaked authentication tokens

Automattic plugs leaky WordPress.com iOS app that exposed account security tokens to third-party sites.
Written by Catalin Cimpanu, Contributor

Automattic, the company behind the WordPress.com blogging platform, said it fixed a bug in its official iOS application that might have exposed users' account authentication tokens to third-party websites.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email it sent to its users this week.

"We've fixed the issue and released an updated version of the app to the App Store," it said.

Also: Online security 101: Tips for protecting your privacy

Automattic said no usernames and passwords were exposed, but only "security tokens that the app uses to communicate/authenticate with WordPress.com."

This means that if a WordPress.com blog owner used the iOS app to create or edit a blog post that contained an image hosted on another site, then that site might have received the WordPress.com security token by accident.

There is now a danger that WordPress.com authentication tokens are presently recorded in server logs at various websites and online services, and that unethical website owners or employees might go looking for these tokens in their web server logs.

The value of these tokens is that they can be used to access a user's WordPress.com account without a password. However, Automattic has told ZDNet that these tokens have now been revoked, rendering them useless.

Self-hosted WordPress sites are not impacted, as the open-source version uses its self-standing user system to grant users access to their sites, and not WordPress.com accounts.

"Our engineers discovered this bug in the iOS app (Android was not affected) and we have no indication it was ever exploited. The first affected version was released in January 2017, and version 11.9.1 released on March 15, 2019 fixed the issue," an Automattic spokesperson told ZDNet.

"We sent a message to all WordPress.com iOS users with private sites and reset their tokens," the spokesperson added.

A copy of Automattic's email is available below:

Data leaks: The most common sources

More data breach coverage:

Editorial standards