Users of Twitter’s iPad app risk leaving their account exposed, after a PC Advisor test showed people's status and bio can be updated despite them being signed in to the app with old credentials.
After changing the password for an individual account on Twitter.com this morning, we tried updating the status of the same account using Twitter’s official iPad app.
Rather than preventing access to the account and asking us to sign in with the new password, the app allowed us to update the status four times over a 45-minute period with old credentials, during which time the password was changed online twice.
Only after removing the account from the Twitter app, and signing in again, did the app prompt us to enter the new password.
Updating the app via Apple’s App Store didn’t fix the problem.
The glitch appears to be a big oversight from Twitter, which makes bold claims about the security of its platform on its website. Someone losing their iPad would leave their Twitter account open to abuse, while private messages would be accessible to unauthorised users.
We’ve reported the bug to Twitter’s security team, and await the response.