WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites
WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorization tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email.
Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of WordPress.com, for example, Imgur or Flickr.
That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a WordPress.com authorization token to Imgur, leaving a copy of the token in the access logs of the Imgur's web server.
It should be noted that the WordPress application for Android devices and self-hosted WordPress websites are not affected by this issue.
Though the company did not reveal precisely how many users or blogs were affected by the issue, it did confirm that there's been no sign of leaked access tokens being used to unauthorizedly access any affected accounts.
"Our engineers discovered this bug in the iOS app (Android was not affected), and we have no indication it was ever exploited," the spokesperson wrote to The Hacker News.
Automattic has also taken the precautionary step of resetting access tokens and send a warning message to all iOS users with private blogs.
Since it was authorization tokens and not the passwords that were exposed due to this bug, there's no need to change your password.
Blog owners using WordPress app on iOS devices are recommended to update their app immediately.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
Source: thehackernews.com
WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites
Reviewed by Anonymous
on
7:48 AM
Rating:
Reviewed by Anonymous
on
7:48 AM
Rating:
