WordPress iOS application: authentication token flaw patched

Automattic, the publisher of, said it has fixed a bug in its official iOS app that could have exposed users’ account authentication tokens to third-party websites.

“The issue created the potential to expose security credentials to third-party websites and only affected private websites whose externally hosted images (for example, with a service like Flickr) are viewed or composed with the app,” the company said in an email to its users this week.

“We have fixed the issue and released an updated version of the app on the App Store,” it said. Automattic said no usernames and passwords were exposed, only “security tokens that the app uses to communicate/authenticate with”

This means that if a blog owner used the iOS app to create or edit a blog post containing an image hosted on another site, then that site could have received the security token by accident.

There now remains a danger that authentication tokens are currently stored in the server logs of various websites and online services, and that website owners or employees may go looking for these tokens in their web server logs. The value of these tokens is that they can be used to access a user’s account without a password.

WordPress sites hosted by WordPress are not affected, as the open-source version uses its standalone user system to allow users to access their sites, not accounts. Automattic did not disclose the technical details of the flaw, say how they discovered the leak, or how many users were affected.


See also  WordPress: One million WordPress sites victims of a data leak

Related Articles

Back to top button