Feeds

Twitter clients stay signed in with pre-breach passwords

OAuth means apps can connect despite reset of passwords made unsafe by breach

Internet Security Threat Report 2014

Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company's own, allow access to the service without asking users to enter the new password.

Reg readers and hacks in Vulture South, our Australian outpost, were among those in receipt of a notification that their accounts were among those compromised after an attack on the micro-blogging service. Twitter quickly 'fessed up to the attack and sent those users whose privacy was threatened a notice they should reset their passwords.

A password change performed on the web did not, however, cause Twitter's own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both.

TweetDeck also allowed us to to post tweets after a password change on Twitter but no new input to TweetDeck. As Vulture South runs TweetDeck as a Chrome app, we logged out of Twitter in Chrome but were still able to post from TweetDeck without being asked to enter the new Twitter password we had created around 40 hours previously.

Other users of Twitter's iOS app confirmed the same issue, one telling The Reg that only after he deleted and re-installed the app was he prompted for a new password.

Freelance technology journalist Alex Kidman reset his password on the web and was afterwards able to tweet from an Android handset, again without being required to enter the new password into the app. Our own Richard Chirgwin noticed the same issue with the YoruFukurou (NightOwl) Mac OS Twitter client he favours.

Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that “TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don't sign out, you don't have to re-input your credential every time you open the app.”

Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.

However the web page Twitter published to detail the attack says, in part, that "As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts."

OAuth makes use of two types of tokens: access tokens and refresh tokens. The former establishes an authenticated link between a user and an online service. The latter sustains and extends authentication and has a role in initiating new sessions.

Based on Vulture South's experience, the tokens Twitter says it has revoked are not OAuth tokens.

Twitter has already been the subject of trouble on a similar topic, as security researcher Cesar Cerrudo recently found it was possible for apps to direct messages without users' knowledge thanks to those apps' use of OAuth.

The Reg has asked Prosser whether apps being able to to stay logged in through OAuth after passwords change represents satisfactory security, especially in light of the recent attack on the company. A reply to that question has not been received at the time of writing.

But Chester Wisniewski, a senior security adviser at Sophos Canada, feels Twitter has not used best practice.

"It is possible to revoke tokens," he said, and while a change to OAuth to formalise revocation has not been signed off, "there is nothing that would stop them from doing it anyway."

Wisniewski has two theories for why Twitter did not revoke the tokens, the first of which is that the company understood the nature of the attack so well it felt it was safe to operate without doing so. The second is that "Twitter are being foolish."

"I do question why they did not reset the oAUTH tokens," he added, declaring the company has earned a B+ grade for its handling of the attack, but only because most responses to similar incidents are far worse.

Sean Duca, an enterprise solutions Architect from McAfee's APAC office offered a similar opinion, telling The Reg by email that "when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account."

That seems not to be Twitter's position, as the company's OAuth guidance for developers, available here, says the following:

"We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended."

We've asked Twitter whether it issues its own tokens and how it manages them, but have not received a response at the time of writing. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.