WordPress iOS app leaked security tokens to third-parties

Security tokens can grant attackers access to website data without needing a password

WordPress app icon on iOS device

WordPress's owner Automattic has contacted its users to reassure them that a bug in its official iOS app was exposing website authentication tokens to third-parties had been fixed.

The company confirmed that no user names or passwords had been leaked, but declined to comment on how many users were affected and how the leak was discovered.

The affected websites were those which hosted content on a third-party site, such as an image hosted on Imgur. If an admin of the website updated it via the iOS app, it's possible the website's authentication token was sent to to the third-party content hosting site.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email sent to its users this week.

Advertisement - Article continues below
Advertisement - Article continues below

There is no evidence to suggest any malicious activity has occurred as a result of the leak, but with access to an authentication code, an attacker could use it to assume control of a WordPress website without the need for a password. This could result in anything from data theft to a complete eradication of the site.

"Access and authentication tokens are common when authenticating apps and services with persistent connection requirements," said Tim Mackey, senior technical evangelist at Synopsys. "For example, if a mobile app doesn't prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use".

In Automattic's email to users, it said "we've disconnected your app from your account as a precaution" which indicates that the tokens of those affected have been reset and therefore invalidated.

"Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens," said Mackey. "Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token."

Approximately 33% of all websites are powered using WordPress and 50-60% of all CMSs are WordPress-based too, according to codeinwp.

The topic of access tokens really entered the cyber security conversation in October 2018 when the Irish Data Protection Commission (DPC) confirmed that three million EU users had their access tokens stolen from the Facebook hack.

Advertisement - Article continues below

30 million Facebook users were hacked using stolen access tokens which gave attackers access to a range of personal information stored on their profiles. In 14 million of these cases, data was stolen including name, listed contact method as well as sensitive information such as search and location data.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020