WordPress iOS App Credentials May Have Been Compromised

wordpress iOS app

If you are using the WordPress iOS app, do update it at once as the old version exposes your security credentials to third-party websites.

WordPress says that recently uncovered an issue with the WordPress iOS application with how it handles security credentials.

The iOS app inadvertently exposed account tokens to third-party sites.

The issue has the possibility of exposing security credentials to third-party websites and only affected private websites with images hosted externally (e.g., with a service like Flickr) that were viewed or composed with the app.

Typically when a WordPress.com site had a post or a page with an image hosted on Flickr, the app would send along a WordPress.com account token to Flickr when fetching the image.

In the unpatched version of the app, the account tokens could appear in the logs of third-party companies.

In the hands of malicious individuals, this could be used to target such WordPress.com account.

While WordPress hasn’t said how many customers were affected, Sensor Tower indicates that the app was installed 9.3 million times on iOS since 2012, with about 1.3 million installs last year.

WordPress has reset all password for iOS users but it is still advisable to update your password.

The Android app self-hosted WordPress installations are not affected.

To start using the app again, do make sure you’ve updated WordPress iOS to 11.9.1 or greater.

You can check for updates in the App Store on your device and tap the “more” button to see the release notes, which list the version number.

Once you’ve updated, launch the app.

You may notice errors about not being authorized and data will not load, or be prompted to log in.

If you’re not prompted to log in, visit the Me tab and tap Log Out, then sign back in.

You can download the Mac app from https://apps.wordpress.com/desktop/.

For the mobile app, visit https://apps.wordpress.com/mobile/.






Leave a Reply