Shutting Twitter backdoors
Having recently been warned by Twitter that his password might have been compromised, Terence Eden changed his Twitter password. But having 'changed the lock on the Twitter door', he realised that the door to the service remained wide open in the form of OAuth access.
OAuth is a protocol for granting third party services access to an account (such as a Twitter account), without having to tell the third party your password. For this to work, the user simply needs to confirm in Twitter that app XZY is permitted to access his or her Twitter profile. This permission is then completely unrestricted – even after the user changes his or her password.
This means that once an attacker has got hold of a user's password, he can authorise services of his choice, such as 'My Backdoor'. Twitter then issues an OAuth token to My Backdoor allowing it to access Twitter in future. This token remains valid even after the legitimate account owner has reset his password. The My Backdoor service, which is controlled by the attacker, now has unrestricted access to the user's Twitter account.
To resolve this problem, Twitter would have to at least offer the option of revoking OAuth tokens when the user changes his or her password – as Yahoo!, for example, does. Until Twitter introduces a similar option, if in doubt, Twitter users should remove all authorised connections from the account settings manually.
- Twitter fails to block Cross Site Scripting flaw, a report from The H.