WordPress bug for iOS exposed user access tokens

One more day, and yet another failure by developers of some relevant App Store app exposed user data. This time, we are talking about WordPress for iOS. But before anyone runs down the hills, at least no extremely sensitive information has been released and the problem has already been fixed.

WordPress app icon

What happened then? Well, as explained by ZDNet, the problem presented itself as a failure that exposed the tokens authentication of users to third party websites. More specifically, the problem was how the app handled images hosted on other websites and displayed in user posts: in this process of user authentication, the app sent along the token proof of account identity, which could cause malicious websites to capture this data and, with a little process, gain account access.

Fortunately, no improper access has occurred, and more sensitive data (such as usernames and passwords) has not been shared. THE Automattic, the company responsible for WordPress, has already fixed the bug (which was unique to the iOS platform app, good to note) and reset the tokens of all affected users to avoid any future breach.

Still, the solution of the problem does not relieve the developer of the fact that it existed for more than two years: WordPress for iOS had the flaw since January 2017, and in version 11.9.1, released on the 15th, the bug. Got corrected.

If history is any good, we can't put all our trust in anyone on the internet, even when it comes to known developers. If you keep your apps up-to-date and avoid sharing sensitive information online, however, you generally don't need to worry.

via TechCrunch