Feeds

Twitter clients stay signed in with pre-breach passwords

OAuth means apps can connect despite reset of passwords made unsafe by breach

Securing Web Applications Made Simple and Scalable

Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company's own, allow access to the service without asking users to enter the new password.

Reg readers and hacks in Vulture South, our Australian outpost, were among those in receipt of a notification that their accounts were among those compromised after an attack on the micro-blogging service. Twitter quickly 'fessed up to the attack and sent those users whose privacy was threatened a notice they should reset their passwords.

A password change performed on the web did not, however, cause Twitter's own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both.

TweetDeck also allowed us to to post tweets after a password change on Twitter but no new input to TweetDeck. As Vulture South runs TweetDeck as a Chrome app, we logged out of Twitter in Chrome but were still able to post from TweetDeck without being asked to enter the new Twitter password we had created around 40 hours previously.

Other users of Twitter's iOS app confirmed the same issue, one telling The Reg that only after he deleted and re-installed the app was he prompted for a new password.

Freelance technology journalist Alex Kidman reset his password on the web and was afterwards able to tweet from an Android handset, again without being required to enter the new password into the app. Our own Richard Chirgwin noticed the same issue with the YoruFukurou (NightOwl) Mac OS Twitter client he favours.

Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that “TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don't sign out, you don't have to re-input your credential every time you open the app.”

Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.

However the web page Twitter published to detail the attack says, in part, that "As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts."

OAuth makes use of two types of tokens: access tokens and refresh tokens. The former establishes an authenticated link between a user and an online service. The latter sustains and extends authentication and has a role in initiating new sessions.

Based on Vulture South's experience, the tokens Twitter says it has revoked are not OAuth tokens.

Twitter has already been the subject of trouble on a similar topic, as security researcher Cesar Cerrudo recently found it was possible for apps to direct messages without users' knowledge thanks to those apps' use of OAuth.

The Reg has asked Prosser whether apps being able to to stay logged in through OAuth after passwords change represents satisfactory security, especially in light of the recent attack on the company. A reply to that question has not been received at the time of writing.

But Chester Wisniewski, a senior security adviser at Sophos Canada, feels Twitter has not used best practice.

"It is possible to revoke tokens," he said, and while a change to OAuth to formalise revocation has not been signed off, "there is nothing that would stop them from doing it anyway."

Wisniewski has two theories for why Twitter did not revoke the tokens, the first of which is that the company understood the nature of the attack so well it felt it was safe to operate without doing so. The second is that "Twitter are being foolish."

"I do question why they did not reset the oAUTH tokens," he added, declaring the company has earned a B+ grade for its handling of the attack, but only because most responses to similar incidents are far worse.

Sean Duca, an enterprise solutions Architect from McAfee's APAC office offered a similar opinion, telling The Reg by email that "when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account."

That seems not to be Twitter's position, as the company's OAuth guidance for developers, available here, says the following:

"We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended."

We've asked Twitter whether it issues its own tokens and how it manages them, but have not received a response at the time of writing. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.