Dangers of 3rd Party Apps: Firefox3+Twitter+Cookies

The original posting illustrates why so much of the software that powers our everyday lives is still flawed. Worse, updates or improvements often oversell the security aspect of things, which ends up making us believe that we are safe when we're really not.

So, whose fault is it that Firefox saves a cookie of your twitter session even when you tell it not to save your password? Well, for one, cookies are not considered passwords. So Firefox is not technically saving your password; it's simply saving your current "session" so you can continue to check your Twitter feed. The real security problem stems from the over use of cookies to store valid sessions and allow multiple valid sessions. In the case of Twitter, this user ended up with 6 valid sessions, across multiple browsers and machines.

Earlier in 2008, GMail (Google Mail) started allowing users to track the number of open sessions (meaning cookies) that they had on their account and giving users the ability to expire those sessions from a central point. A session cookie can be stolen and provide access to your account, often for days (or years) following a password change!

Src: Domdingelom on security, fun and life: Is firefox+twitter+https messing with me?

No comments: