Yesterday I changed my Twitter password and noticed that from TweetDeck (a desktop application) I could still tweet logged in with old password. At that moment I remembered that something related I had read or heard a few days ago, I began to search my bookmarks and indeed, David Hernndez (DaboBlog) had commented on it in a talk.
If you change your account password on twitter.com you can still access it from any application with the old password. This also applies to those that are used from the mobile:
In this screenshot I am writing a tweet from the iPhone with the old password, at no time was I asked to enter the new one 🙂
This can be a serious problem in case of losing the device (mobile, tablet or laptop), since any user would think that by changing the password the account is already secure, but as we see this is not so. Even if the password is changed 50 times, access is enabled until the application log back in or access is disabled to require a new token.
How to disable access to applications?
It is very simple, in the Configuration panel you access the Applications section and then access is revoked (they must disappear from the list of allowed applications), in this way the new password will be requested when trying to log in:
But this is not the most curious thing of all, as Dabo comments, something similar happens with other services such as, for example, Dropbox.
Surely, as they say in a famous documentary channel, you never imagined …
See also: Anti-theft software for Android notebooks and mobiles. How many users are you on Twitter? Your friends can change your password on Facebook.