WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites

If you have a “private” blog with WordPress.com and are using
its official iOS app to create or edit posts and pages, the secret
authentication token for your admin account might have accidentally
been leaked to third-party websites.

WordPress has recently patched a severe vulnerability in its iOS
application that apparently leaked secret authorization tokens for
users whose blogs were using images hosted on third-party sites, a
spokesperson for Automattic confirmed The Hacker News in an
email.

Discovered by the team of WordPress engineers, the vulnerability
resided in the way WordPress iOS application was fetching images
used by private blogs but hosted outside of WordPress.com, for
example, Imgur or Flickr.

That means, if an image were hosted on Imgur and then when the
WordPress iOS app attempted to fetch the image, it would send along
a WordPress.com authorization token to Imgur, leaving a copy of the
token in the access logs of the Imgur’s web server.

It should be noted that the WordPress application for Android
devices and self-hosted WordPress websites are not affected by this
issue.

Automattic confirmed The Hacker News that the vulnerability
affects all versions of the WordPress iOS app released since last
two years (January 2017) and was patched last month with the
release of WordPress iOS app
version 11.9.1.
Though the company did not reveal precisely how many users or blogs
were affected by the issue, it did confirm that there’s been no
sign of leaked access tokens being used to unauthorizedly access
any affected account.

Automattic has also taken the precautionary step of resetting
access tokens and send a warning message to all iOS users with
private blogs.

Since it was authorization tokens and not the passwords that
were exposed due to this bug, there’s no need to change your
password.

Blog owners using WordPress app on iOS devices are recommended
to update their app immediately.

^[1]