Automattic, the publisher of WordPress.com, said it has fixed a bug in its official iOS app that could have exposed users’ account authentication tokens to third-party websites.
“The issue created the potential to expose security credentials to third-party websites and only affected private websites whose externally hosted images (for example, with a service like Flickr) are viewed or composed with the app,” the company said in an email to its users this week.
“We have fixed the issue and released an updated version of the app on the App Store,” it said. Automattic said no usernames and passwords were exposed, only “security tokens that the app uses to communicate/authenticate with WordPress.com.”
This means that if a WordPress.com blog owner used the iOS app to create or edit a blog post containing an image hosted on another site, then that site could have received the WordPress.com security token by accident.
There now remains a danger that WordPress.com authentication tokens are currently stored in the server logs of various websites and online services, and that website owners or employees may go looking for these tokens in their web server logs. The value of these tokens is that they can be used to access a user’s WordPress.com account without a password.
WordPress sites hosted by WordPress are not affected, as the open-source version uses its standalone user system to allow users to access their sites, not WordPress.com accounts. Automattic did not disclose the technical details of the flaw, say how they discovered the leak, or how many users were affected.