WordPress says iOS app bug exposed account tokens to third-parties

by Arpit Maheshwari on April 02, 2019 • View comments

Back to blogs

WordPress said it’s fixed a bug in its iOS app that inadvertently exposed account tokens to third-party sites.

In an email to customers seen by TechCrunch, the content management giant said it “uncovered an issue with the WordPress iOS application with how it handles security credentials.” The company has disconnected affected accounts from the app “as a precaution.”

Although no usernames and passwords were involved, the app in some cases inadvertently sent sensitive account tokens to third-parties.

These account tokens are small bits of code that allow you to stay logged into an app or service without having to enter your password every time. But if leaked or stolen, an account token can give anyone access to your account without needing your password.

After reaching out to Automattic, the company’s parent, we’ve gained some additional clarity. In short, the bug was found in how images were fetched from private WordPress sites hosting images by other sites. If a private WordPress site had a post or a page with an image hosted on Flickr, for example, the app would send along a WordPress account token to Flickr when fetching the image.

That’s not how it’s meant to work. That meant account tokens could appear in the logs of third-party companies, which could expose unscrupulous individuals to target WordPress accounts. That said, the risk to accounts is minimal and users shouldn’t be overly worried. For peace of mind, you can change your WordPress password which should refresh and rotate your account tokens.

“Our engineers discovered this bug in the iOS app and we have no indication it was ever exploited,” said a WordPress spokesperson in an email to TechCrunch. “The first affected version was released in January 2017, and version 11.9.1 released on March 15, 2019 fixed the issue.”

WordPress didn’t immediately say how many customers were affected, only that it emailed all WordPress iOS users with private sites to reset their account tokens. The company’s Android app was not affected.

Users should update their app as soon as possible.


Arpit Maheshwari
Software Engineer by Profession. Machine Learning enthusiast. I like to visit new places and watch movies. When I’m not doing all of those, I love to build software and tools.

You'd also like: