I can’t believe how much comment abuse you’re getting!

Why hasn’t Twitter taken the simple step of providing a tick box option when you change your password to also revoke or not the OAuth permissions? I guess we may argue over what the default on that should be :-) But expect people to understand that changing their password isn’t enough is just asking for trouble.

They didn’t give you an idea of what triggered this alert?

Calling them connections is confusing. And they don’t provide any audit of what these applications have been doing. It’d also be good if there were a note / link from the password rest page to the connections page.

But this is a relatively minor UX change. Not a security problem in OAuth. We should be following best practices. Which i did with my implementation.

Let’s say you legitimately use OAuth with, say, Dabr on your home PC.
You then go to work and use OAuth with Dabr on your work Mac.
Same site, different computers and IP addresses – but no difference in functionality. You just get the OAuth prompt. This is the way it is supposed to work, you may want to be logged in from multiple locations.

I think Twitter showing how many tokens you’ve authorised for each service may be a better idea than what they do currently. That way, you could revoke the token for a malicious user without having to revoke all of your tokens for a specific site.

It’s a knotty usability problem, that’s for sure.

T

That’s hardly an ideal situation and is still a security issue.

… until you revoke the OAuth token for that third-party application and then re-authorize it with a new OAuth token, which is the way it’s supposed to work.

Twitter could make it easier on users who get pwnt by providing a “de-authorize all applications” function.

I do agree that this *is* a security issue and that it needs to be clearer to users that simply changing their password is no longer enough to block someone from using their account.

IMO an automatic revoke of all tokens is too disruptive. Dossy gets it spot on when suggesting that if you change your password then you should be given some information about OAuth and how to further protect yourself.

I know I’m an idiot. Most people are. Good security design requires you to fit to your users’ expectations and limitations or invest heavily in educating them. It’s why writing down passwords is often more secure than choosing weak, but easily memorable passwords. People are idiots and can’t remember things.

In this case, OAuth tokens are a completely new way of thinking for most users. Twitter should take that into account when asking them to reset their passwords.

Tell me, assuming you use OAuth, how would you tell which one of your previously authorised sites was compromised?

T
PS You’ll notice a distinct lack of adverts on this site – I’m not sure what good SEO would do me. Unless you want to buy me something from my Amazon wishlist?

Terence, good point – well made. I did wonder about OAuth the other day when something like this happened to a friend of mind. Sad to hear my suspicion has proved correct.

This is not a security hole. This is a feature. It’s the way OAuth is designed.

Should twitter make it clearer how applications are posting to your account, and make it easier to see and revoke tokens. Sure. But they already do that, just maybe not as clearly as you’d like.

Posts like this are sensationalist SEO spam.