WordPress iOS app leaked security tokens to third-parties

The WordPress app on an iPhone
(Image credit: Shutterstock)

WordPress's owner Automattic has contacted its users to reassure them that a bug in its official iOS app was exposing website authentication tokens to third-parties had been fixed.

The company confirmed that no user names or passwords had been leaked, but declined to comment on how many users were affected and how the leak was discovered.

The affected websites were those which hosted content on a third-party site, such as an image hosted on Imgur. If an admin of the website updated it via the iOS app, it's possible the website's authentication token was sent to to the third-party content hosting site.

"The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app," the company said in an email sent to its users this week.

There is no evidence to suggest any malicious activity has occurred as a result of the leak, but with access to an authentication code, an attacker could use it to assume control of a WordPress website without the need for a password. This could result in anything from data theft to a complete eradication of the site.

"Access and authentication tokens are common when authenticating apps and services with persistent connection requirements," said Tim Mackey, senior technical evangelist at Synopsys. "For example, if a mobile app doesn't prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use".

In Automattic's email to users, it said "we've disconnected your app from your account as a precaution" which indicates that the tokens of those affected have been reset and therefore invalidated.

"Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens," said Mackey. "Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token."

Approximately 33% of all websites are powered using WordPress and 50-60% of all CMSs are WordPress-based too, according to codeinwp.

The topic of access tokens really entered the cyber security conversation in October 2018 when the Irish Data Protection Commission (DPC) confirmed that three million EU users had their access tokens stolen from the Facebook hack.

30 million Facebook users were hacked using stolen access tokens which gave attackers access to a range of personal information stored on their profiles. In 14 million of these cases, data was stolen including name, listed contact method as well as sensitive information such as search and location data.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.