WordPress iOS app leaked security tokens to third-parties

Security tokens can grant attackers access to website data without needing a password

WordPress app icon on iOS device

WordPress's owner Automattic has contacted its users to reassure them that a bug in its official iOS app was exposing website authentication tokens to third-parties had been fixed.

The company confirmed that no user names or passwords had been leaked, but declined to comment on how many users were affected and how the leak was discovered.

The affected websites were those which hosted content on a third-party site, such as an image hosted on Imgur. If an admin of the website updated it via the iOS app, it's possible the website's authentication token was sent to to the third-party content hosting site.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email sent to its users this week.

There is no evidence to suggest any malicious activity has occurred as a result of the leak, but with access to an authentication code, an attacker could use it to assume control of a WordPress website without the need for a password. This could result in anything from data theft to a complete eradication of the site.

"Access and authentication tokens are common when authenticating apps and services with persistent connection requirements," said Tim Mackey, senior technical evangelist at Synopsys. "For example, if a mobile app doesn't prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use".

In Automattic's email to users, it said "we've disconnected your app from your account as a precaution" which indicates that the tokens of those affected have been reset and therefore invalidated.

"Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens," said Mackey. "Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token."

Approximately 33% of all websites are powered using WordPress and 50-60% of all CMSs are WordPress-based too, according to codeinwp.

The topic of access tokens really entered the cyber security conversation in October 2018 when the Irish Data Protection Commission (DPC) confirmed that three million EU users had their access tokens stolen from the Facebook hack.

30 million Facebook users were hacked using stolen access tokens which gave attackers access to a range of personal information stored on their profiles. In 14 million of these cases, data was stolen including name, listed contact method as well as sensitive information such as search and location data.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 most secure web browsers
web browser

8 most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020