WordPress iOS app leaked security tokens to third-parties

Security tokens can grant attackers access to website data without needing a password

WordPress app icon on iOS device

WordPress's owner Automattic has contacted its users to reassure them that a bug in its official iOS app was exposing website authentication tokens to third-parties had been fixed.

The company confirmed that no user names or passwords had been leaked, but declined to comment on how many users were affected and how the leak was discovered.

The affected websites were those which hosted content on a third-party site, such as an image hosted on Imgur. If an admin of the website updated it via the iOS app, it's possible the website's authentication token was sent to to the third-party content hosting site.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email sent to its users this week.

There is no evidence to suggest any malicious activity has occurred as a result of the leak, but with access to an authentication code, an attacker could use it to assume control of a WordPress website without the need for a password. This could result in anything from data theft to a complete eradication of the site.

"Access and authentication tokens are common when authenticating apps and services with persistent connection requirements," said Tim Mackey, senior technical evangelist at Synopsys. "For example, if a mobile app doesn't prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use".

In Automattic's email to users, it said "we've disconnected your app from your account as a precaution" which indicates that the tokens of those affected have been reset and therefore invalidated.

"Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens," said Mackey. "Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token."

Approximately 33% of all websites are powered using WordPress and 50-60% of all CMSs are WordPress-based too, according to codeinwp.

The topic of access tokens really entered the cyber security conversation in October 2018 when the Irish Data Protection Commission (DPC) confirmed that three million EU users had their access tokens stolen from the Facebook hack.

30 million Facebook users were hacked using stolen access tokens which gave attackers access to a range of personal information stored on their profiles. In 14 million of these cases, data was stolen including name, listed contact method as well as sensitive information such as search and location data.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021