In the recent attack on Twitter in which information for about 250,000 users was compromised, Twitter’s forced password reset may not have been enough to fix the problem, writes the blog Talking Identity. The problems may continue through the use of OAuth tokens.
The blog notes that use of OAuth tokens enables third-party apps to access Twitter, even when the passwords were reset. Twitter’s forced password reset didn’t fully shut down the apps’ access to the site. This means that hackers could get into the system and enable an OAuth token that would still allow them access after the attack had been shut down.
This scenario has implications for businesses that use BYOD policies and have employees who consistently authorize apps without monitoring them on a regular basis.
Lax oversight over these apps and the OAuth tokens employed by them could mean that an unwanted third party app could have access to a company’s cloud-based services, which could lead to further incidences of compromised data.
Read more here.