WordPress iOS Bug: Third-Party Websites Received Secret Access Token


If you are one of such bloggers who own a private blog with the WordPress.com and are using its official iOS app to create or edit posts and pages, then the secret authentication token for your admin account might have been compromised accidentally and the token might have been leaked to the third party websites. Recently, WordPress has patched a severe vulnerability in the iOS app that has apparently leaked the secret authorization tokens for the users those of whose blogs were using images that has been hosted on the third-party websites.

The vulnerability has been discovered by the team of the WordPress engineers, who have stated that the vulnerability resided in the way the WordPress iOS application was fetching the images used by the private blogs but has been found to hosting outside the WordPress.com, as for instance on Flickr or Imgur. This implies that if an image were hosted on the Flickr and then when the iOS app of the WordPress attempts to fetch the image, it would send it along with the WordPress.com authorization token to Flickr, leaving behind a copy of the token in the access logs of the Flickr’s web server. It should be carefully noted that the WordPress application for all the Android devices and the self-hosted websites are not at all affected owing to this issue.

Automatic has confirmed that the vulnerability affects all the versions of the  iOS App that has been released in January 2017 and was patched the last month with the release of the WordPress iOS app version 11.9.1. The company has been reluctant to reveal precisely how many of the users or the blogs were affected by the issue but it did confirm that there has been no sign of the leaked access tokens being used to conduct unauthorized access in any affected account. The blog owners are requested to update their app immediately.


Please enter your comment!
Please enter your name here