So - twitter was hacked this week. Which happens to the best of us, and is going to happen more often in the future. They invalidated the passwords for 250k user accounts (though anecdotal reports would seem to indicate that it’s more than that). But here’s the strange thing - even though my password was invalidated and inactive, the oauth tokens for apps I’d approved access for still worked. And continued to work even after I’d changed my password. If they thought it was possible that my account was compromised, why weren’t these tokens deactivated, even temporarily?
Granted, most of these access tokens are for mobile apps, or for using my twitter credentials to post on someone else’s site instead of drawing from my twitter feed, or for enabling other apps to post _to_ my twitter stream on my behalf, but some of them are reading my stream, including direct messages, and someone with my password could have potentially spread the damage around to other services (adding significant hassle to the cleanup), and also added more without my knowledge. (It’s possible that they deactivated more recent ones.) They did ask me to review them after resetting my password, but it was entirely optional, and a less savvy user may not have known what to look for.
This seems like a serious and surprising oversight. I think most technical people barely understand the implications of authorization delegation, let alone everyone else. It seems like it should have been a reasonable precaution to at least turn all of those off until my password was changed.