WordPress iOS app exposed users’ account authentication tokens to third-party websites

• A bug in the WordPress iOS application might have exposed users' account authentication tokens to third-party websites.
• Automattic has fixed the issue in the latest updated version of the WordPress iOS app.

What is the issue - A bug in the WordPress iOS application might have exposed users’ account authentication tokens to third-party websites.

Why it matters - These account authentication tokens can be used to access a user’s WordPress account without a password.

The big picture

The bug in the WordPress iOS app exposes security tokens to third-party websites when the WordPress blog contains any images that are hosted on the third-party site.

This implies that when a WordPress blog owner uses the iOS app to create or edit a blog post that contained an image hosted on a third-party website, then that third-party site might receive the security token.

The company’s response

Automattic, the company behind the WordPress notified its users via an email stating that they’ve uncovered an issue with the WordPress iOS app with how it handles with security credentials.

“The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app,” the email read.

• Automattic disclosed that the security tokens that the app uses to communicate or authenticate with WordPress are exposed.
• However, the company confirmed that no usernames or passwords were exposed.
• It further confirmed that the security issue does not impact the self-hosted WordPress sites as it uses a self-standing user system to grant users access to their sites and not WordPress accounts.

What actions were taken - Automattic has fixed the issue in the latest updated version of the WordPress iOS app.