WordPress Login Bug, Enables Third-Parties To Receive Security Tokens
The use of a Content Management System (CMS) to manage websites is heaven sent for non-programmers. The ease of use through a WYSIWYG editor it provides is like publishing a content similar to how to write articles in a word processor program. Problem with CMS is its complexity is hidden from the web content writer/publisher, this same complexity promotes the speed of content update at the expense of security.
All of that complexity is supplemented by CMS featuring a plugin system, designed to expand the capability of the software beyond what the default features provide. Another risk is added when we add to the discussion regarding the complexity that a mobile app can add to the already shaky security of the CMS. This is exactly what is happening with the already vulnerable WordPress platform, as it was recently discovered that its official iOS app has a security weakness that when exploited can reveal the account security tokens to other websites.
“The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app. We’ve fixed the issue and released an updated version of the app to the App Store” explained WordPress.
The bug was described as the web admin who chose to use a 3rd party image hosting site, that site receives the WordPress.com security token the moment the iOS app was used to edit the site. The administrators of the image hosting site will then have the capability to log in as the WordPress.com site’s owner as the result of the bug. This happens without the WordPress site notifying them to enter a valid username and password, as the security token provides the identity that the WordPress site will accept as valid.
This bug affected all websites hosted under WordPress.com’s hosting service but does not affect the independent websites self-hosting a WordPress-based webpage. These independent sites have their own user account database that is not in any way related to WordPress.com. The schematics of how to abuse the bug and all the technical details were not disclosed publicly, especially now that the bug was already fixed.
Julia Sowells886 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.