A bug in the iOS app of WordPress had been exposing the account tokens to third-party sites. According to the latest update, the bug has been fixed. The content management system informed customers through an email that an issue regarding how the iOS app had been handling the security credentials was uncovered. As a precautionary measure, the affected accounts were disconnected by the company from the app.
Whereas the Android version of the app and the self-hosted WordPress installations remained unaffected. App accidentally sent sensitive account tokens only to the third party, and no passwords or usernames were involved.
Through these account tokens, which are a few lines code, a person does not have to type in passwords every time. It keeps you signed in to the app, though your password is not shown with the help of stolen tokens, others can have access to your accounts as no password is required.
The bug was present how other sites were fetching images from the private Wordpress site. When an image hosted on another site, like Imgur or Flickr is posted on the private Wordpress site, a token of the WordPress account was sent to those sites whenever the image was fetched.
If the account tokens appear on the logs of third-party companies, these could be used unethically to target the Wordpress accounts. But fortunately, the possible damage to the account is not much.
Account tokens of the WordPress iOS users were reset, saving them the trouble of changing the passwords. According to Automattic spokesperson, after the engineers discovered the bug, there had been no reports of if it has been exploited by anyone. In January 2017, the first affected version was released whereas in the version 11.9.1, released on March 15, 2019, the issue was fixed.
No exact figures had been given by WordPress as to how many users were affected because of it. Sensor Tour, a mobile insight company, however, showed that since 2012, 9.3 million times the app was installed on iOS, out of which 1.3 installed the app in the last year.
Read Next: More Than Half of Americans Don’t Know How To Tell If They’ve Been In A Data Breach
Whereas the Android version of the app and the self-hosted WordPress installations remained unaffected. App accidentally sent sensitive account tokens only to the third party, and no passwords or usernames were involved.
— Pablo Alejandro Fain ⌚️📱👨🏻💻 (@FainPablo) April 2, 2019
Through these account tokens, which are a few lines code, a person does not have to type in passwords every time. It keeps you signed in to the app, though your password is not shown with the help of stolen tokens, others can have access to your accounts as no password is required.
The bug was present how other sites were fetching images from the private Wordpress site. When an image hosted on another site, like Imgur or Flickr is posted on the private Wordpress site, a token of the WordPress account was sent to those sites whenever the image was fetched.
If the account tokens appear on the logs of third-party companies, these could be used unethically to target the Wordpress accounts. But fortunately, the possible damage to the account is not much.
Account tokens of the WordPress iOS users were reset, saving them the trouble of changing the passwords. According to Automattic spokesperson, after the engineers discovered the bug, there had been no reports of if it has been exploited by anyone. In January 2017, the first affected version was released whereas in the version 11.9.1, released on March 15, 2019, the issue was fixed.
No exact figures had been given by WordPress as to how many users were affected because of it. Sensor Tour, a mobile insight company, however, showed that since 2012, 9.3 million times the app was installed on iOS, out of which 1.3 installed the app in the last year.
Read Next: More Than Half of Americans Don’t Know How To Tell If They’ve Been In A Data Breach
