I can’t believe how much comment abuse you’re getting!

Why hasn’t Twitter taken the simple step of providing a tick box option when you change your password to also revoke or not the OAuth permissions? I guess we may argue over what the default on that should be :-) But expect people to understand that changing their password isn’t enough is just asking for trouble.

They didn’t give you an idea of what triggered this alert?

Calling them connections is confusing. And they don’t provide any audit of what these applications have been doing. It’d also be good if there were a note / link from the password rest page to the connections page.

But this is a relatively minor UX change. Not a security problem in OAuth. We should be following best practices. Which i did with my implementation.

Let’s say you legitimately use OAuth with, say, Dabr on your home PC.
You then go to work and use OAuth with Dabr on your work Mac.
Same site, different computers and IP addresses – but no difference in functionality. You just get the OAuth prompt. This is the way it is supposed to work, you may want to be logged in from multiple locations.

I think Twitter showing how many tokens you’ve authorised for each service may be a better idea than what they do currently. That way, you could revoke the token for a malicious user without having to revoke all of your tokens for a specific site.

It’s a knotty usability problem, that’s for sure.

T

That’s hardly an ideal situation and is still a security issue.

… until you revoke the OAuth token for that third-party application and then re-authorize it with a new OAuth token, which is the way it’s supposed to work.

Twitter could make it easier on users who get pwnt by providing a “de-authorize all applications” function.

I do agree that this *is* a security issue and that it needs to be clearer to users that simply changing their password is no longer enough to block someone from using their account.

IMO an automatic revoke of all tokens is too disruptive. Dossy gets it spot on when suggesting that if you change your password then you should be given some information about OAuth and how to further protect yourself.

I know I’m an idiot. Most people are. Good security design requires you to fit to your users’ expectations and limitations or invest heavily in educating them. It’s why writing down passwords is often more secure than choosing weak, but easily memorable passwords. People are idiots and can’t remember things.

In this case, OAuth tokens are a completely new way of thinking for most users. Twitter should take that into account when asking them to reset their passwords.

Tell me, assuming you use OAuth, how would you tell which one of your previously authorised sites was compromised?

T
PS You’ll notice a distinct lack of adverts on this site – I’m not sure what good SEO would do me. Unless you want to buy me something from my Amazon wishlist?

Terence, good point – well made. I did wonder about OAuth the other day when something like this happened to a friend of mind. Sad to hear my suspicion has proved correct.

This is not a security hole. This is a feature. It’s the way OAuth is designed.

Should twitter make it clearer how applications are posting to your account, and make it easier to see and revoke tokens. Sure. But they already do that, just maybe not as clearly as you’d like.

Posts like this are sensationalist SEO spam.

I agree, that’s why I said at the top of this post “Twitter has a gaping security hole. ”

There is nothing to suggest that OAuth itself is flawed – nor is it less secure than giving a random site your password. I’d much rather use OAuth.

But if someone does have your password, and uses OAuth before you have a chance to change it, they will still have access to your account even after the password has changed.

I haven’t exaggerated anything. Create a dummy account and try it for yourself if you don’t believe me.

T

Indeed – I think we both agree that it’s an education issue.

I can see why you wouldn’t want to deauthorise all tokens automatically – but I’d certainly have it as an option. After all, you can’t possibly know which site has been used with a compromised password (unless it’s the only one you haven’t personally authorised).

At any rate – I’d put the option on the same screen as password reset in order to educate users.

Thanks for the comments

T

Risk based security: Some applications use more fine grained controls to decide when to force a user to re-authenticate. The most common is that if a user wants to change their password, they usually have to re-authenticate as part of that process using their old password.

Any idea what the session length is with Twitter’s OAuth?

1) Change your password, thus locking the attacker out of your account.
2) Go into your authorized Twitter applications (on the Connections tab) and deauthorize any applications the attacker has authorized.

Again, if you are indeed correct that “most users” (and not just you and others like you) think changing your password will deauthorize all previously authorized applications through OAuth, then this is a user education issue, one that I would fix by adding a link to the Connections setting page on the password changing page with text that explains that “changing your password does not deauthorize any previously authorized applications. To do that, go to [link to Connections page]“.

I will say it outright: deauthorizing ALL OAuth tokens on a password change completely negates the value of OAuth. Period.