Security flaw?

[majorawsome]

So I just changed my password on Pandora, because somehow I keep getting the Linkin Park station re-added. After changing my password, I went to my smartphone to change it, and I didn't have to. I was able to keep playing my music, even add and delete stations without entering my new password.

 

I am completely shocked that this flaw has gone so long unnoticed. Please mention this to Pandora so they can fix it!

 

And that's not all. I then changed my email password (Hotmail) on my desktop and I can still RECIEVE AND SEND EMAILS on my smartphone, even the Windows 8 metro app. (I'm on 8.1 but still).

 

My theory is that once you sign into an app on a device, your account on whatever service generates a random hash, that sends that to your device and let's you log in via that hash, and when you change your password the hash doesn't change. Any other ideas?

[RelentlessAF]

As long as a device is logging in automatically there is no check to verify the password it is using is indeed still correct in most applications. It' a rather large security flaw, someone should let them know and have it corrected.

[majorawsome]

I think that your hash idea is pretty spot on, but it may very well be a bug, imagine if your phone or laptop was stolen, and people still had access to your Netflix or bank's app or something. oops.

I believe this works only for mobile apps. On a web browser you need to enter your password and username every time.