Select Page

If you have a “private” blog with and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites.

WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorisation tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email.

Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of, for example, Imgur or Flickr.

That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a authorisation token to Imgur, leaving a copy of the token in the access logs of the Imgur’s web server.

It should be noted that the WordPress application for Android devices and self-hosted WordPress websites are not affected by this issue.

images from Hacker News