WordPress mentioned it’s fastened a bug in its iOS app that inadvertently uncovered account tokens to third-party websites.
In an e mail to clients seen by TechCrunch, the content material administration large mentioned it “uncovered a problem with the WordPress iOS software with the way it handles safety credentials.” The corporate has disconnected affected accounts from the app “as a precaution.”
Though no usernames and passwords have been concerned, the app in some circumstances inadvertently despatched delicate account tokens to third-parties.
These account tokens are small bits of code that permit you to keep logged into an app or service with out having to enter your password each time. But when leaked or stolen, an account token can provide anybody entry to your account without having your password.
After reaching out to Automattic, the corporate’s mum or dad, we’ve gained some further readability. In brief, the bug was present in how pictures have been fetched from personal WordPress websites internet hosting pictures by different websites. If a non-public WordPress web site had a submit or a web page with a picture hosted on Flickr, for instance, the app would ship alongside a WordPress account token to Flickr when fetching the picture.
That’s not the way it’s meant to work. That meant account tokens might seem within the logs of third-party corporations, which might expose unscrupulous people to focus on WordPress accounts. That mentioned, the chance to accounts is minimal and customers shouldn’t be overly frightened. For peace of thoughts, you may change your WordPress password which ought to refresh and rotate your account tokens.
“Our engineers found this bug within the iOS app and we have now no indication it was ever exploited,” mentioned a WordPress spokesperson in an e mail to TechCrunch. “The primary affected model was launched in January 2017, and model 11.9.1 launched on March 15, 2019 fastened the difficulty.”
WordPress didn’t instantly say what number of clients have been affected, solely that it emailed all WordPress iOS customers with personal websites to reset their account tokens. The corporate’s Android app was not affected.
Customers ought to replace their app as quickly as potential.