OAuth & Changing Passwords

Valid point by Brent Simmons:

When Twitter was recently hacked, I was among those who got an email saying I was affected. So I changed my password.

But here’s what I’ve noticed: changing my password does not cause any of the Twitter clients on my iPhone to ask me again for authentication. They just keep working normally.

In such cases, it’d be wise indeed that the service (Twitter in this case) automatically revokes all authorized apps.

Security Bug? →

(via )

Note: Perhaps now’s the time to check which apps you’ve authorized on Twitter?

UPDATE 2013.02.21: Apparently Facebook has such a system in place: when you change your password, all tokens expire immediately and Facebook will return error code 190 / sub_code 460 (Error validating access token: The session has been invalidated because the user has changed the password) to all apps accessing the platform. — Thanks, Jurriaan!

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.