Twitter users who changed passwords after last week`s cyber-attack still connect with the old, vulnerable passwords, according to The Register. Apps using the Twitter API, including the company’s own, allow access to the service without asking users to enter the new passwords.
“A password change performed on the web did not, however, cause Twitter’s own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password,” The Register said. “Instead, it remained possible to post tweets from both.”
Users complained only after deleting and reinstalling the apps were they prompted for a new password. Technology journalist Alex Kidman also tweeted from an Android handset without being required to enter his new password.
“TweetDeck and other clients use OAuth, so as long as you don’t sign out, you don’t have to re-input your credential every time you open the app,” a Twitter representative told The Register.
OAuth is an open standard for authorization that uses two types of tokens, allowing clients to access server resources on behalf of a resource owner. Access tokens establish an authenticated link between users and the online service, while refresh tokens sustain and extend the authentication, initiating new sessions.
Twitter announced it had been hacked on Feb. 1. About 250,000 out of the 200 million active users had their passwords, usernames, emails and other personal details stolen. The cyber-attack may be part of a larger hacking movement related to the recent New York Times and the Wall Street Journal breaches.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter`s Director of Information Security Bob Lord said. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
All Twitter users should reconsider their passwords and security status. Here are some tips and tricks:
tags
Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024