Apparently I've visited this website 64 times today. I'm sorry, but I'm not THAT addicted :)
Moreover, it says I have no passwords saved yet it logged me in automagically, so lets click through on the View Saved Passwords button. I would expect it to be grayed out since there are no passwords saved. Damn, it even has the correct username, how would it otherwise be able to log me in? Indeed. So I click the Show passwords button and it reveals my password. Sorry, let me rephrase that, Firefox reveals A password but not my current password.
WTF ?
I tried this again and again, same behaviour. How can it log me in with a wrong password. At this moment it looks like the culprit is the auth token, which is a cookie saved and set to expire 20 years from now.
I'll have to get back to this since duty calls but FF3+Twitter right now doesn't feel like the right combination. If anybody can and/or wants to shine a light on this behaviour, I'm open to suggestions.
2 comments:
It's the authentication cookie. 20 years is way too long. But a lot of sites have similar behavior. Steal the cookie, steal the key to the kingdom.
The cookie has been a discussion point before. If someone ever finds out your password or you give away your password to some cool 3rd application, it's hard to keep them out, even if you change you password. Just because of the session cookie.
Just have a look at
http://zackfasel.com/blog/?p=13
Twitter is taking steps to improve security but there is still room for improvement.
@Security4all
it is the authentication cookie. 20 years isn't way too long, it's unacceptable and something they can change very quicky.
Combine this with the twitterank scenario. Even after your password has changed, they will have access to your account with the authentication cookie, it doesn't change depending on the workstation or software you use. It's the same cookie EVERYWHERE !
Post a Comment