If you have a “private” blog with WordPress.com and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites.WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorization tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email.
Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of WordPress.com, for example, Imgur or Flickr.That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a WordPress.com authorization token to Imgur, leaving a copy of the token in the access logs of the Imgur’s web server.It should be noted that the WordPress application for Android devices and self-hosted WordPress websites are not affected by this issue.
Automattic confirmed The Hacker News that the vulnerability affects all versions of the WordPress iOS app released since last two years (January 2017) and was patched last month with the release of WordPress iOS app version 11.9.1.
Though the company did not reveal precisely how many users or blogs were affected by the issue, it did confirm that there’s been no sign of leaked access tokens being used to unauthorizedly access any affected account.
“Our engineers discovered this bug in the iOS app (Android was not affected), and we have no indication it was ever exploited,” the spokesperson wrote to The Hacker News.
Automattic has also taken the precautionary step of resetting access tokens and send a warning message to all iOS …