WordPress says iOS app bug exposed account tokens to third parties

WordPress said it has fixed a bug in its iOS app that inadvertently exposed account tokens to third-party sites.

In an email to customers seen by TechCrunch, the content management giant said it “uncovered an issue with the WordPress iOS application with how it handles security credentials.” The company has disconnected affected accounts from the app “as a precaution.”

The company’s Android app was not affected, nor were self-hosted WordPress installations.

Although no usernames and passwords were involved, the app in some cases inadvertently sent sensitive account tokens to third parties.

These account tokens are small bits of code that allow you to stay logged into an app or service without having to enter your password every time. But if leaked or stolen, an account token can give anyone access to your account without needing your password.

After reaching out to Automattic, the company’s parent, we’ve gained some additional clarity. In short, the bug was found in how images were fetched from private WordPress.com sites hosting images by other sites. If a private WordPress.com site had a post or a page with an image hosted on Flickr, for example, the app would send along a WordPress.com account token to Flickr when fetching the image.

That’s not how it’s meant to work. That meant account tokens could appear in the logs of third-party companies, which could expose unscrupulous individuals to target WordPress.com accounts. That said, the risk to accounts is minimal and users shouldn’t be overly worried.

All WordPress iOS users with private sites had their account tokens reset — so there’s no need to change your password.

“Our engineers discovered this bug in the iOS app and we have no indication it was ever exploited,” said an Automattic spokesperson in an email to TechCrunch. “The first affected version was released in January 2017, and version 11.9.1 released on March 15, 2019 fixed the issue.”

WordPress didn’t immediately say how many customers were affected, but mobile insights company Sensor Tower said in an email that the app was installed 9.3 million times on iOS since 2012, with about 1.3 million installs last year.

Users should update their app as soon as possible.