Dangers of 3rd Party Apps: Firefox3+Twitter+Cookies

The original posting illustrates why so much of the software that powers our everyday lives is still flawed. Worse, updates or improvements often oversell the security aspect of things, which ends up making us believe that we are safe when we're really not.

So, whose fault is it that Firefox saves a cookie of your twitter session even when you tell it not to save your password? Well, for one, cookies are not considered passwords. So Firefox is not technically saving your password; it's simply saving your current "session" so you can continue to check your Twitter feed. The real security problem stems from the over use of cookies to store valid sessions and allow multiple valid sessions. In the case of Twitter, this user ended up with 6 valid sessions, across multiple browsers and machines.

Earlier in 2008, GMail (Google Mail) started allowing users to track the number of open sessions (meaning cookies) that they had on their account and giving users the ability to expire those sessions from a central point. A session cookie can be stolen and provide access to your account, often for days (or years) following a password change!

Src: Domdingelom on security, fun and life: Is firefox+twitter+https messing with me?

Who Hijacked Your Domain?

In the past weeks, the security Bloggosphere has been abuzz with stories of folks who got their web sites hijacked (and held for ransom) by getting their web-based email accounts altered via the wonders of filters which can redirect specific emails to an attacker's email account.

Personally, I would like to see more being done by the web-based email providers to validate users' identities and protect the ever-increasing value of information being stored in email accounts.

Gmail Security Flaw Proof of Concept