It has been reported that Automattic, the company behind the WordPress.com blogging platform, said it fixed a bug in its official iOS application that might have exposed users’ account authentication tokens to third-party websites.
— Pablo Alejandro Fain (@FainPablo) April 2, 2019
Expert Comments Below:
Tim Mackey, Senior Technical Evangelist at Synopsys:
“Access and authentication tokens are common when authenticating apps and services with persistent connection requirements. For example, if a mobile app doesn’t prompt the user for their credentials at each app launch, then there is a strong possibility an access token is in use. Were a malicious user to gain access to the token, replaying that token could easily allow the malicious user to impersonate the legitimate user unless precautions are taken within the app/service. Invalidating breached tokens is one method to ensure that any tokens obtained in a breach are no longer usable. Automattic have indicated they “disconnected” the app from user accounts as a precaution which indicates they invalidated any breached tokens.
Users who have used any form of access token should recognise that changing their password will typically not invalidate access tokens. Instead, they need to revoke application access in order to generate a new token. In the case of a mobile application, uninstalling the application and reinstalling it would typically also generate a new token. The topic of access token management entered public awareness with multiple Facebook breach disclosures in 2018.”