WordPress iOS app leaked security tokens to third-parties

Security tokens can grant attackers access to website data without needing a password

WordPress app icon on iOS device

WordPress's owner Automattic has contacted its users to reassure them that a bug in its official iOS app was exposing website authentication tokens to third-parties had been fixed.

The company confirmed that no user names or passwords had been leaked, but declined to comment on how many users were affected and how the leak was discovered.

Advertisement - Article continues below

The affected websites were those which hosted content on a third-party site, such as an image hosted on Imgur. If an admin of the website updated it via the iOS app, it's possible the website's authentication token was sent to to the third-party content hosting site.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email sent to its users this week.

There is no evidence to suggest any malicious activity has occurred as a result of the leak, but with access to an authentication code, an attacker could use it to assume control of a WordPress website without the need for a password. This could result in anything from data theft to a complete eradication of the site.

Advertisement - Article continues below
Advertisement - Article continues below

"Access and authentication tokens are common when authenticating apps and services with persistent connection requirements," said Tim Mackey, senior technical evangelist at Synopsys. "For example, if a mobile app doesn't prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use".

In Automattic's email to users, it said "we've disconnected your app from your account as a precaution" which indicates that the tokens of those affected have been reset and therefore invalidated.

"Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens," said Mackey. "Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token."

Approximately 33% of all websites are powered using WordPress and 50-60% of all CMSs are WordPress-based too, according to codeinwp.

Advertisement - Article continues below

The topic of access tokens really entered the cyber security conversation in October 2018 when the Irish Data Protection Commission (DPC) confirmed that three million EU users had their access tokens stolen from the Facebook hack.

30 million Facebook users were hacked using stolen access tokens which gave attackers access to a range of personal information stored on their profiles. In 14 million of these cases, data was stolen including name, listed contact method as well as sensitive information such as search and location data.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

10 quick tips to identifying phishing emails

16 Mar 2020

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020