Font Awesome WordPress Plugin API Token vulnerability fixed
On Monday, March 9th, 2020 we were made aware of a security issue with our WordPress plugin.
The vulnerable versions are 4.0.0-rc15 and 4.0.0-rc16. Version 4.0.0-rc15 was released Thursday, March 5th.
The vulnerability exposes the Font Awesome API token and access token for users who have configured the plugin to use a kit. If compromised, these tokens could give an unauthorized person access to that user’s list of kits and kit settings.
What we’ve done to fix this
Previously, we stored the API and access tokens in a file that could be accessed by unauthorized persons.
As of 4.0.0-rc17, the API and access tokens are stored in the WordPress database. When the PHP openssl extension is available (as recommended by WordPress.org), the API and access tokens will also be encrypted. When updating an API token, the file that previously stored the API token is automatically removed.
We have already deleted and re-created all API tokens that may have been affected. Any access token generated from an API token automatically expires one hour after being issued. If your site is currently configured to use a kit, it will continue to load the kit normally, even though the API token you used to set it up is no longer valid. However, any queries to our API server, such as refreshing kit data on the settings page, will stop working until you update.
What you should do
If you are using our plugin and using Kits visit your WordPress Admin and install 4.0.0-rc17 which is available today.
Once installed you should update your API token in your WordPress settings.
1. Go to https://fontawesome.com/account
2. Login to your WordPress installation and go to the Font Awesome settings.
3. On the “Use a Kit” screen under the “Settings” tab, click “Update token”
4. Paste in the new API token you copied from your fontawesome.com account and click “Save API Token”
What information was leaked
The API and access tokens are small pieces of data that, if compromised, will give an unauthorized person a list of kits and kit settings for the associated account. Kit settings include a unique identifier, the kit name, and various configuration options that control how Font Awesome loads and functions. All of these except for the kit name are publicly available when using a kit on your website.
No personally identifiable information was leaked using either the API or access token, unless you added personally identifiable information to a kit name on the kit’s settings page. These tokens are read-only and cannot be used to make any changes to kits or accounts.
Get in contact with us
If you have any questions you can contact us at firstname.lastname@example.org.