Twitter clients stay signed in with pre-breach passwords
OAuth means apps can connect despite reset of passwords made unsafe by breach
Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company's own, allow access to the service without asking users to enter the new password.
Reg readers and hacks in Vulture South, our Australian outpost, were among those in receipt of a notification that their accounts were among those compromised after an attack on the micro-blogging service. Twitter quickly 'fessed up to the attack and sent those users whose privacy was threatened a notice they should reset their passwords.
A password change performed on the web did not, however, cause Twitter's own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both.
TweetDeck also allowed us to to post tweets after a password change on Twitter but no new input to TweetDeck. As Vulture South runs TweetDeck as a Chrome app, we logged out of Twitter in Chrome but were still able to post from TweetDeck without being asked to enter the new Twitter password we had created around 40 hours previously.
Other users of Twitter's iOS app confirmed the same issue, one telling The Reg that only after he deleted and re-installed the app was he prompted for a new password.
Freelance technology journalist Alex Kidman reset his password on the web and was afterwards able to tweet from an Android handset, again without being required to enter the new password into the app. Our own Richard Chirgwin noticed the same issue with the YoruFukurou (NightOwl) Mac OS Twitter client he favours.
Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that “TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don't sign out, you don't have to re-input your credential every time you open the app.”
Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.
However the web page Twitter published to detail the attack says, in part, that "As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts."
OAuth makes use of two types of tokens: access tokens and refresh tokens. The former establishes an authenticated link between a user and an online service. The latter sustains and extends authentication and has a role in initiating new sessions.
Based on Vulture South's experience, the tokens Twitter says it has revoked are not OAuth tokens.
Twitter has already been the subject of trouble on a similar topic, as security researcher Cesar Cerrudo recently found it was possible for apps to direct messages without users' knowledge thanks to those apps' use of OAuth.
The Reg has asked Prosser whether apps being able to to stay logged in through OAuth after passwords change represents satisfactory security, especially in light of the recent attack on the company. A reply to that question has not been received at the time of writing.
But Chester Wisniewski, a senior security adviser at Sophos Canada, feels Twitter has not used best practice.
"It is possible to revoke tokens," he said, and while a change to OAuth to formalise revocation has not been signed off, "there is nothing that would stop them from doing it anyway."
Wisniewski has two theories for why Twitter did not revoke the tokens, the first of which is that the company understood the nature of the attack so well it felt it was safe to operate without doing so. The second is that "Twitter are being foolish."
"I do question why they did not reset the oAUTH tokens," he added, declaring the company has earned a B+ grade for its handling of the attack, but only because most responses to similar incidents are far worse.
Sean Duca, an enterprise solutions Architect from McAfee's APAC office offered a similar opinion, telling The Reg by email that "when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account."
That seems not to be Twitter's position, as the company's OAuth guidance for developers, available here, says the following:
"We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended."
We've asked Twitter whether it issues its own tokens and how it manages them, but have not received a response at the time of writing. ®