From what I understand is that OAuth was created when twitter developers identified this as a problem. The trouble is they were too busy fighting to keep twitter alive to roll it out on their own api.
The fix for this sort of thing is pretty simple. Just keep a nonce on a user (the "user version" if you will) that increments every time a user makes a change to their login credentials, store that nonce in their cookie, and if the one in the cookie is lower than the one on the server treat it as a logout.
That said, this is sort of an unserious security "issue" for most people between not really caring about the security of their account and reasonably short cookie lifetime settings.
Twitter have said they are going to implement OAuth (which would solve this problem) on their API page. However, they have shown no progress to my knowledge of doing this. It would be great for the community to push them towards it.
Twitter seem to have been so busy fire fighting that a lot of interesting stuff has seemingly dropped off the roadmap (such as XMPP).
I suspect this is actually a very common issue. Unless you explicitly expire all sessions for a user when they change their password then this will happen.
Well when you say common, do you mean with another application that utilizes an open API that is connected to many popular platforms and that is as widely used as Twitter?
I would guess that it's true for many APIs which rely on the user providing their password to the 3rd party application.
Of course that's the bigger problem. The user shouldn't have to give their password out. It's somewhat ironic that Twitter doesn't implement OAuth or something similar since Blaine Cook started OAuth.
