Automattic, the company behind the WordPress.com blogging platform, said it fixed a bug in its official iOS application that might have exposed users’ account authentication tokens to third-party websites.
“The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app,” the company said in an email it sent to its users this week.
“We’ve fixed the issue and released an updated version of the app to the App Store,” it said.
Automattic said no usernames and passwords were exposed, but only “security tokens that the app uses to communicate/authenticate with WordPress.com.”
This means that if a WordPress.com blog owner used the iOS app to create or edit a blog post that contained an image hosted on another site, then that site might have received the WordPress.com security token by accident.
There is now a danger that WordPress.com authentication tokens are presently recorded in server logs at various websites and online services, and that unethical website owners or employees might go looking for these tokens in their web server logs.
The value of these tokens is that they can be used to access a user’s WordPress.com account without a password.
Self-hosted WordPress sites are not impacted, as the open-source version uses its self-standing user system to grant users access to their sites, and not WordPress.com accounts.
Automattic did not reveal in-depth technical details, did not say how they discovered the leak, nor did they say how many users were impacted.
A copy of Automattic’s email is available below:
More data breach coverage:
Credit: Source link