Account authentication tokens of WordPress users accounts are being exposed to third-party sites through the its iOS application. This is an issue because these tokens could give an attacker the ability to access the user’s account without a password. The tokens are exposed when a user’s WordPress blog holds images that come from third-party sites. So essentially, when a user makes changes to their blog containing third-party site hosted images on the iOS app, there is a chance the site could receive the authentication tokens. Automattic, the parent company of WordPress, released at statement regarding the matter that read, “The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app.” However, Automattic confirmed that no usernames or passwords were exposed and that they have developed a patch in the latest version of the app.
Analyst Notes
Users should update their WordPress App to the latest version immediately as it will prevent this issue from happening. Another suggestion would be to log out after every use instead of remaining logged in, which would prevent bugs like this one from exposing the access tokens.
