Twitter has a gaping security hole. Changing your password won’t stop malicious users logging in as you!
I received a rather worrying email from Twitter. Apparently they thought my password had been compromised and needed to be reset.
After checking to see if it was valid, I went and changed my password. Any site which relied on a cookie to post to Twitter would have been blocked out. Ha! Gotcha, suckers!
The OAuth Problem
OAuth tokens are not revoked when the master password is changed.
OAuth is a great idea – rather than give your username and password to any random site, you log on to Twitter and tell them that you authorise the refering site. The site gets an OAuth token and never gets to see your password. Great! Right? Not really.
Let’s consider the following scenario.
Alice has a Twitter username and password.
Bob runs a Twitter site.
Alice visits Bob’s site. Alice is security conscious and uses OAuth.
Eve somehow discovers Alice’s password.
Eve also visits Bob’s site and uses OAuth.
Alice gets suspicious about strange activity on her account and changes her password.
Because Bob’s site uses OAuth, it does not require either Alice or Eve to re-enter Alice’s password.
In this scenario, Alice has to visit Twitter’s OAuth Connections page and revoke access to all the sites she has previously connected to. Alice has no way of knowing when each site was last accessed. She also doesn’t know which site Eve is using.
Changing a password should – in the minds of most people – mean that you need to re-enter your password even if you have previously authenticated yourself.
In this scenario, changing the password does not revoke access to malicious users who have previously used your credentials.
Twitter should revoke all OAuth tokens when a user’s password is changed. It is the only way to ensure that stolen credentials cannot continue to be used after a user has changed their password.
As I’ve made clear in the comments – this isn’t a vulnerability within OAuth per se. It’s a usability issue which has strong security implications.
I spoke to Eran Hammer-Lahav (listed as OAuth’s advisory contact) who said:
If you suspect someone stole your password, you should revoke any tokens you did not personally authorized. But there is no reason to revoke tokens just because you are changing password.
While I appreciate this as the official line from those in the know, it does nothing to prevent a user who uses the same sites as you. For example, I can see on every tweet that you use Dabr. Therefore, I can safely OAuth myself as you on Dabr. You’ll change your password, but you won’t revoke Dabr’s token because you personally authorised it.
Continuing The Conversation
El Reg has a feature about Twitter and OAuth.
There’s also an interesting discussion over at Hacker News.