Automattic, the company behind the WordPress.com blogging platform, said it fixed a bug in its official iOS application that might have exposed users’ account authentication tokens to third-party websites.
“The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app,” the company said in an email it sent to its users this week.
“We’ve fixed the issue and released an updated version of the app to the App Store,” it said.
Automattic said no usernames and passwords were exposed, but only “security tokens that the app uses to communicate/authenticate with WordPress.com.”
This means that if a WordPress.com blog owner used the iOS app to create or edit a blog post that contained an image hosted on another site, then that site might have received the WordPress.com security token by accident.
There is now a danger that WordPress.com authentication tokens are presently recorded in server logs at various websites and online services, and that unethical website owners or employees might go looking for these tokens in their web server logs.
The value of these tokens is that they can be used to access a user’s WordPress.com account without a password. However, Automattic has told ZDNet that these tokens have now been revoked, rendering them useless.