ForumsQuestionsSecurity issue:Password change doesn't invalidate existing token
Security issue:Password change doesn't invalidate existing token
| Author | Message |
|---|---|
|
TotalSchnurz |
I suspect that my password has leaked (through no fault of Toodledo). So I changed the password using the website, which kept me logged in. That means it either issued a new auth token right away, or (I'm not sure if this is technically feasible) the existing token continued to be valid.
But what shocked me is that in the Android app (next gen version) the auth token continues to be valid! I can actually still access and edit my data from the Android app using the outdated login's auth token. How is that possible? I'm not an expert, but it seems like a serious security issue. Is there a way to invalidate all logins? I guess I could activate 2FA, but I don't actually want that (and don't even know if it would work). |
|
TotalSchnurz |
I tried to activate 2FA, but that didn't invalidate the existing login either. That seems unacceptable, unless I'm getting something completely wrong.
|
|
SnowLeopard |
I hope this gets answered. Not good.
|
|
PamelaH Toodledo Admin |
If someone is finding himself/herself in this situation, we recommend using the Block buttons at https://www.toodledo.com/active_apps.php and filing a support ticket.
|
|
TotalSchnurz |
Thanks for the pointer.
Interesting; my Android app (next gen) shows up as iOS - that had me worried for a moment, because I don't use Apple products myself :-) Does this also work for other web logins? Or is that what the support ticket would be for? |
|
PamelaH Toodledo Admin |
Your browser only continued to work after changing passwords because it was in the same browser, on the same session where you were making the password change. If you log in via *another* web browser (or in a separate Incognito window) you will see that changes won't propagate in either direction and as soon as you try to click to another page (eg from Tasks to Lists), you're redirected to a login page.
|
You cannot reply yet
U Back to topic home
R Post a reply
To participate in these forums, you must be signed in.