Once when I checked my Twitter timeline this past weekend I noticed a tweet that I am certain that I did not post. I have no idea how it got posted under my account, and although when I searched for news about any new Twitter hacks I didn’t find anything, I decided to change my Twitter password. I expected that after changing the password on Twitter’s web site I would have to re-enter the password in the numerous Twitter apps I use, but to my surprise that was not the case, and even more surprising to me is that is the expected behavior.
After I changed the password I started the Seesmic app on my Nexus S. You’ll notice if you look that there is no option in Seesmic’s settings to logout of Twitter or to change a login id or password. I tried posting a new tweet, expecting that I would then be prompted to enter my new password and instead my tweet was successfully posted.
Twitter uses something called OAuth authentication for third party apps that integrate with their service. You may notice that the first time you connect an app to Twitter you are redirected to Twitter’s web site, on a phone you usually see the web browser launch, to enter your login id and password, after which you return to the app. After you make this first connection you never again enter your Twitter login id and password to use the app.
During that first connection Twitter provides a unique access key to the app to authenticate and the key continues to work even after a user changes their password on Twitter. What this means is that if you lose your phone and you change your password on the Twitter web site, if your phone is not secured someone could post tweets under your account using any Twitter apps on the phone.
Fortunately, Twitter does provide a way to disable the application access. Go in to your account settings on the Twitter web site and then click Applications. You will see a list of all of the third party apps that you have connected to your Twitter account, and to the right is a button labeled Revoke Access. Click the Revoke Access button to disable that app from accessing your Twitter account.
I think Twitter ought to integrate changing your password, which is in a different area of settings, with application access. A default behavior could be that all application access is revoked when you change your password, which would force you to reconnect your apps but helps insure no one but you accesses your Twitter account. Twitter could make the revoke access optional but at least inform users when they change their password that third party apps still have access to Twitter.