back to article Twitter clients stay signed in with pre-breach passwords

Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company's own, allow access to the service without asking users to enter the new password. Reg readers and hacks in Vulture South, our Australian …

COMMENTS

This topic is closed for new posts.
  1. Annihilator
    Paris Hilton

    No security risk?

    On first reading, it seems that there isn't an issue. Potentially usernames and passwords were leaked (though salted, and emphasis on "potentially"), which has no bearing on the tokens used by the Twitter API which uses, in effect, a unique one-time password that exists between client and server.

    The only criticism is that some affected users wouldn't know they'd been affected, but the only risk to them would be if they shared passwords across different services.

    1. Richard 12 Silver badge

      There is a very clear risk

      Once an app instance has been authenticated once, it's authorised forever.

      So if a miscreant has your username and password, they can log in as you using one of these apps - and keep on tweeting as you even after you've changed your password.

      That's rather foolish, don't you think?

      1. Annihilator

        Re: There is a very clear risk

        @Richard 12 - they can't log in as you using one of these apps. New logins aren't accepted, they still require the user/pass combo (which would fail), only pre-existing logins work. These apps are permanently logged in, and don't store passwords on the device, relying instead on this one-time token which was unaffected by the breach. To log in a different app on a different device would require a generation of a new token which would be issued on submission of the correct password, which would no longer work. The article says as much, namely logging out of the Twitter app (destroying the old OAuth token).

        The title of the article is misleading "Twitter clients stay signed in with pre-breach passwords", it's not "with" pre-breach passwords. It's with a token unaffected by the breach.

        1. censored

          Re: There is a very clear risk

          I think what Richard12 is saying is this:

          - you have Twitter1 app signed in

          - miscreant hacks account and changes the password

          - Twitter1 stays signed in because it already has a token which is not altered by a change in password

          - miscreant logs into Twitter2 app

          - you realised the hack and change your password

          - Twitter2 app is STILL logged in because OAuth tokens aren't revoked by a password changes

        2. DJ Smiley
          FAIL

          Re: There is a very clear risk

          Sorry, you believe they noticed the hack the exact moment it happened?

          There was no gap between hackers getting the username/password (why wasn't it encrypted - was it?) and twitter locking the accounts?

          Of course there was a gap!. In that time you request a oauth login. Your now authenicated for life. Happy times.

          1. Annihilator
            Stop

            Re: There is a very clear risk

            "There was no gap between hackers getting the username/password (why wasn't it encrypted - was it?) and twitter locking the accounts?"

            Was it encrypted? Yes. The risk was if they ever decrypted it, it would then be worthless.

            To revoke the Oauth logins would have revoked it for every user of the app. Crap implementation maybe, but the risk assessment is pretty much zero.

          2. Craig 8
            Thumb Down

            It's NOT a login [Re: There is a very clear risk]

            The "auth" stands for "authorisation", not for "authentication". The authorised service never had your password in the first place, so it is entirely irrelevant whether your password is changed or not. What you want to do its revoke the authorizations, not change your authentication credentials.

    2. Lusty

      Re: No security risk?

      Definitely a problem. One of the most important jobs of any user directory is revocation of access. If they are not able to revoke access then there is a massive security problem.

      You'd think that having the word "open" in the name it would be completely without flaws because presumably many people will have seen the code etc. or at least that's the usual open source line...

  2. Anonymous Coward
    Thumb Down

    Piss-poor

    There isn't any excuse for not revoking access. I guess they're more concerned about keeping their users tweeting continued use than security.

  3. Anonymous Coward
    Anonymous Coward

    Would resetting tokens cause Apps to hit 100k API token limit?

    If they reset the auth tokens, then sure it will mean that all those users will have to re-authenticate their chosen application to Twitter? Thereby increasing the number of token requests made by that App, and so quite possibly taking that app over the 100,000 token limit that Twitter have imposed.

    Twitter has had enough backlash over the 100k limit, maybe they didn't want to trigger more anger when some of the popular apps which are just below 100k suddenly exceeded that limit and were refused any more. Of course, they could chose to ignore the number they reset - but doesn't that start indicating how stupid the 100k limit was in the first place?

    1. censored

      Re: Would resetting tokens cause Apps to hit 100k API token limit?

      I was just about to say that... worse, since revoked tokens are returned to the pool it's possible that yours is returned and given to someone else, so lose access to your favourite app because they're unable to issue a new one.

      I was going to suggest a workaround could be to automatically revoke all tokens upon password change, but clearly with the access limit this isn't practical.

      1. stanimir

        Re: Would resetting tokens cause Apps to hit 100k API token limit?

        Any access token must have version that's to be compared to the current credentials version. Mismatch = revocation. Simple.

  4. Anonymous Coward
    Anonymous Coward

    Surely there's no issue here? Only the user table was dumped (if that's what happened) and twitter immediately reset those passwords.

    So the OAuth thing would only be an issue if the passwords weren't salted and encrypted, and hadn't been immediately blocked, or the OAuth table was hacked. Which, as Twitter have been very open about what happened, seems unlikely.

    1. Annihilator
      Thumb Up

      Yup. But doesn't stop the down-votes flooding in for the same thing I suggested above.

      The obligatory analogy - you were given a key to the back door of a house by virtue of showing them you had a front door key. The front door key has now been stolen, but was stolen in a tightly locked box that will take a good deal of effort to break open. So they've changed the front door lock lest that ever happen. The lock for the back door hasn't been compromised, and there's no way to use the stolen front door key to either open the front door, or be granted a new back door key, even if the front door key is broken out of the box.

  5. Anonymous Coward
    Anonymous Coward

    I've had similar issues with Dropbox

    After my Hotmail account was hacked and used to spend spam to everyone in my address book, I changed my passwords to everything. The Dropbox clients on my phone, tablet, Windows and OSX continued to work without requesting the new password. It only becomes an issue if one of the devices is stolen.

    Anon - because having my Hotmail account hacked was rather sloppy of me.

    1. Wize

      Re: I've had similar issues with Dropbox

      You'd have to log on to Drop Box and revoke access from there to any of your remote devices. You wouldn't even need to change your password (but probably should go round and reset them all).

      Same for Twitter and Facebook. Just delete the devices/apps that connect to it and they need to re-authenticate to reconnect.

  6. Jamie Kitson

    Similar

    Reminds me of an issue I had with Flickr. I'd accidentally leaked one of my apps' secrets. No problem I thought, I'll just regenerate it (as you can with Facebook for example). But Flickr has no way of regenerating app secrets. As far as I could see, the only secure thing to do was to disable that app and create a new one. Luckily I didn't have any users at that point.

  7. Craig 8
    Stop

    I Don't Think You've Quite Understood This...

    Let's see, the point of OAuth is that you can authorise services to access your Twitter account without needing your password. Logically, I don't see any reason that this should change just because you change your password; you might change your password every month for security reasons (yeah, right!) but that shouldn't mean you've stopped trusting the services you said you trusted before.

    There's some wrong-headed thinking here, that "change my password" should be the same thing as "reset all the security decisions I've ever made". If you think your account may have been breached, there are several other things you should do (like checking what spam has been posted in your name) as well as changing your password and revoking any inappropriate authorizations.

  8. LMitchell
    Stop

    A compromise

    Wouldn't it be better to only revoke tokens for those applications that were authorised between the time of the breach and the password reset being applied?

    For all we know they may have the statistics on this and found it to be a very subset of users. Certainly a blanket reset would probably be more frustrating and disconcerting for users while not really achieving any security benefit.

  9. Mikey
    Facepalm

    For lunch today, I had...

    While any security breach is a Bad Thing (tm), this isn't exactly a mission-critical app, is it? The fact that a load of people might not be able to post inane crap about their house/cat/toast/celebrity-du-jour is hardly going to signify the fall of the Internets. And if your company relies on it for anything... well, why?

    Quite frankly I'd be happier if they managed to completely annihilate the damn 'service' in its entirety.

  10. Neoc

    I do not understand...

    I do not understand why people keep on talking about there being no problem about their devices keeping their authorisation after a password change. Yes, these people are right: there is no problem with regard to *their* device.

    But this isn't the point.

    Here's a potential situation:

    1) Hacker (somehow) gets his/her hands on your password.

    2) Hacker uses said password to authorise *their* app/device to use your account.

    3) You realise your account is compromise and change your password.

    4) Bad luck! Hacker's device stays Authorised.

    *This* is why Authorisation needs to be revoked the moment a password is changed.

This topic is closed for new posts.

Other stories you might like