In reply to Dossy
Hi,

I understand how OAuth works - and I think it's a great idea for security. But consider the following...

Suppose a hacker somehow gets your password. She uses it to OAuth with a Twitter application. You notice strange activity and change your password. The hacker is still able to use Twitter as you. Your password has changed but the hacker's access hasn't been revoked - even though she is using the "old" password.

I don't think OAuth is broken - I think that Twitter should revoke all tokens when you change your password. Otherwise changing your password has no effect on malicious users logged in through OAuth.

I only saw the OAuth Connections Page because I went looking for it. I doubt a "normal" user would give it a second though. They've changed their password - so all "baddies" have been kicked out. Right?

I'm not for one second questioning the security of OAuth nor its usefulness. But in this case, the lack of usability has caused a security problem.

Terence