Changing your Twitter password – Bad design or security hole?

When you reset your Twitter password it does not automatically cascade across all of your allowed applications. In other words, ANY Twitter app will continue to function just fine until you manually revoke permissions. Yep…manually. The apps even continue to work after you, say, reboot your phone. However, once you’ve revoked permissions then most apps will prompt you for a new password. More on that at the end of this post.

Why should you care? Because if your Twitter password or your smartphone is ever stolen and you don’t revoke permissions, then the bad guys can continue to use Twitter apps that you approved.

Twitter doesn’t really tell you much about how password changes work. On the password changed acknowledgement page there’s a deceptively mild mannered blurb of text that simply asks if you want to review the applications that can access your account. This is what the page looks like:

Call me crazy, but it seems natural to me that if you change your Global password, that any application using that password should be auto-majically changed as well. The technical answer is contained deep within the Twitter Developer FAQ:

When using OAuth, application connectivity and permissions do not change when a user resets their password on The relationship between Twitter, a user, and a third-party application do not involve a username and password combination. When a Twitter user changes their password, we’ll now ask the user whether they would also like to revoke any of their application authorizations, but any revocations are manually executed by the end user.

My response to this is your average user has no clue about the pros and cons of using OAuth and they most likely don’t really care.

My immediate suggestion to Twitter is that they should provide a “Learn More” link on the password has been changed acknowledgement page that provides informative bullet points on how changing your password affects or doesn’t affect other Twitter applications. They should also include a warning in bold letters that tells you that applications can and will continue to use the old password — until you revoke their access.

Now, full disclosure is that I did get my password stolen and I was, fortunately, able to quickly reset it before any major damage happened. I was lucky. However, it wasn’t until a day later that I had done enough research to know about revoking access on all of my applications. Like I said above: I figured the password change would automatically affect all applications. However, I simply got curious when I noticed my Android Twitter app kept working fine and never asked me for a new password. It was possible the criminals could have still used any of these other applications with my old password. Yikes!

Conclusion. My experience after revoking permissions wasn’t exactly seamless and your mileage may vary (YMMV) depending on how your third party app was built. My Android Twitter application simply appeared to send a tweet with no indication anything was wrong. I only knew it wasn’t sending tweets because I checked using Twitter’s web app. Only after I did a full restart on the phone did the app finally ask for a password. Hmmm.  TweetDeck at least let me know that my tweets failed to send, and within a minute it displayed a dialog box asking for the new password (TweetDeck screenshot below). Also, it’s important to note that after entering the new password Twitter mysteriously un-revoked my access and I could send tweets again.

The good news is that revoking access does immediately shut off an apps ability to send tweets. The so-so news is that once the correct new password was entered, then Twitter mysteriously un-revokes status on the app. This bothered me. I would think if you manually revoke access to an app, then as a security best practice you would also have to manually un-revoke access as well.

So, is this poor design, a security hole or maybe even both?


Twitter Developer FAQ – How do password resets affect authorization?

Twitter Application Permissions Model

[Edited 8/26/12] Twitter Help – My account has been compromised