Feeds

Twitter clients stay signed in with pre-breach passwords

OAuth means apps can connect despite reset of passwords made unsafe by breach

Providing a secure and efficient Helpdesk

Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company's own, allow access to the service without asking users to enter the new password.

Reg readers and hacks in Vulture South, our Australian outpost, were among those in receipt of a notification that their accounts were among those compromised after an attack on the micro-blogging service. Twitter quickly 'fessed up to the attack and sent those users whose privacy was threatened a notice they should reset their passwords.

A password change performed on the web did not, however, cause Twitter's own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both.

TweetDeck also allowed us to to post tweets after a password change on Twitter but no new input to TweetDeck. As Vulture South runs TweetDeck as a Chrome app, we logged out of Twitter in Chrome but were still able to post from TweetDeck without being asked to enter the new Twitter password we had created around 40 hours previously.

Other users of Twitter's iOS app confirmed the same issue, one telling The Reg that only after he deleted and re-installed the app was he prompted for a new password.

Freelance technology journalist Alex Kidman reset his password on the web and was afterwards able to tweet from an Android handset, again without being required to enter the new password into the app. Our own Richard Chirgwin noticed the same issue with the YoruFukurou (NightOwl) Mac OS Twitter client he favours.

Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that “TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don't sign out, you don't have to re-input your credential every time you open the app.”

Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.

However the web page Twitter published to detail the attack says, in part, that "As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts."

OAuth makes use of two types of tokens: access tokens and refresh tokens. The former establishes an authenticated link between a user and an online service. The latter sustains and extends authentication and has a role in initiating new sessions.

Based on Vulture South's experience, the tokens Twitter says it has revoked are not OAuth tokens.

Twitter has already been the subject of trouble on a similar topic, as security researcher Cesar Cerrudo recently found it was possible for apps to direct messages without users' knowledge thanks to those apps' use of OAuth.

The Reg has asked Prosser whether apps being able to to stay logged in through OAuth after passwords change represents satisfactory security, especially in light of the recent attack on the company. A reply to that question has not been received at the time of writing.

But Chester Wisniewski, a senior security adviser at Sophos Canada, feels Twitter has not used best practice.

"It is possible to revoke tokens," he said, and while a change to OAuth to formalise revocation has not been signed off, "there is nothing that would stop them from doing it anyway."

Wisniewski has two theories for why Twitter did not revoke the tokens, the first of which is that the company understood the nature of the attack so well it felt it was safe to operate without doing so. The second is that "Twitter are being foolish."

"I do question why they did not reset the oAUTH tokens," he added, declaring the company has earned a B+ grade for its handling of the attack, but only because most responses to similar incidents are far worse.

Sean Duca, an enterprise solutions Architect from McAfee's APAC office offered a similar opinion, telling The Reg by email that "when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account."

That seems not to be Twitter's position, as the company's OAuth guidance for developers, available here, says the following:

"We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended."

We've asked Twitter whether it issues its own tokens and how it manages them, but have not received a response at the time of writing. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.