Twitter iPhone apps' pre-breach passwords still active

Even if they changed their passwords, Twitter users who sign in to the micro-blogging service via tablets may not quite be safe yet.

 

UK's The Register reported that the Twitter app for iPad and iPhone still allows access using old passwords —the ones people were using before 250,000 Twitter accounts were breached recently.

 

"A password change performed on the web did not ... cause Twitter's own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both," it said.

 

Tweetdeck, Android

 

It also said TweetDeck allowed the posting of tweets after a password change on Twitter but no new input to TweetDeck.

 

One user said the Twitter app asked for the new password only after he deleted and re-installed the app.

 

Even apps for Android appeared vulnerable as well, with The Register citing the case of freelance technology journalist Alex Kidman.

 

It said Kidman reset his password on the web and was still able to tweet from an Android handset without being required to enter the new password.

 

But it quoted Twitter spokesperson Jim Prosser as saying this was not a password issue but a token issue with TweetDeck and other clients.

 

“TweetDeck and other clients use (open authentication standard) OAuth, so as long as you don't sign out, you don't have to re-input your credential every time you open the app,” he said.

 

But The Register also noted Twitter already said it "reset passwords and revoked session tokens for these accounts" as a precaution.

 

On the other hand, Sophos Canada's Chester Wisniewski feels Twitter has not used best practice.

 

"It is possible to revoke tokens ... there is nothing that would stop them from doing it anyway," he said.

 

Sean Duca, an enterprise solutions Architect from McAfee's APAC office, added that "when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account." — TJD, GMA News