Thousands of WordPress sites hacked, redirected to tech support scams
Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.
Automattic, the company behind the WordPress.com blogging platform, said it fixed a bug in its official iOS application that might have exposed users’ account authentication tokens to third-party websites.
“The issue created the potential of exposing security credentials to third-party websites, and only affected private websites with images hosted externally (e.g., with a service like Flickr) that are viewed or composed with the app,” the company said in an email it sent to its users this week.
“We’ve fixed the issue and released an updated version of the app to the App Store,” it said.
Automattic said no usernames and passwords were exposed, but only “security tokens that the app uses to communicate/authenticate with WordPress.com.”
This means that if a WordPress.com blog owner used the iOS app to create or edit a blog post that contained an image hosted on another site, then that site might have received the WordPress.com security token by accident.
There is now a danger that WordPress.com authentication tokens are presently recorded in server logs at various websites and online services, and that unethical website owners or employees might go looking for these tokens in their web server logs.
The value of these tokens is that they can be used to access a user’s WordPress.com account without a password.
Self-hosted WordPress sites are not impacted, as the open-source version uses its self-standing user system to grant users access to their sites, and not WordPress.com accounts.
Automattic did not reveal in-depth technical details, did not say how they discovered the leak, nor did they say how many users were impacted.
A copy of Automattic’s email is available below:
Oh no #wordpress #ios #securitytoken pic.twitter.com/3XeQPvwmD7
— Pablo Alejandro Fain ⌚️📱👨🏻💻 (@FainPablo) April 2, 2019
More data breach coverage:
Indian govt agency left details of millions of pregnant women exposed onlineBithumb cryptocurrency exchange hacked a third time in two yearsCard breach reported at Buca di Beppo, Planet Hollywood, and other restaurantsToyota announces second security breach in the last five weeks
Over 13K iSCSI storage clusters left exposed online without a passwordCryptocurrency platforms DragonEx and CoinBene disclose hacksFacebook passwords by the hundreds of millions sat exposed in plain text CNET
Facebook data privacy scandal: A cheat sheet TechRepublic
Related Topics:
Security TV
Data Management
CXO
Data Centers