Twitter reveals it wasn’t logging users out of accounts after password reset • TechCrunch

Weeks after the former security chief at Twitter The company accused From mismanaging cybersecurity, Twitter now has looking at Its users for a bug that did not lock all active user sessions logged in on Android and iOS after resetting the account password. This issue could have repercussions for those who reset their password because they thought their Twitter account might be at risk, perhaps due to device loss or theft, for example.

Assuming that whoever owns the device can access their apps, they will have full access to the affected user’s Twitter account.

in blog post, Twitter states that it learned of a bug that allowed some accounts to remain logged in on multiple devices after a user voluntarily reset their password.

Normally, when a password reset occurs, the session token that keeps the user logged into the app is also revoked — but that didn’t happen on mobile devices, Twitter says. She noted that the web sessions, however, were not affected and were appropriately closed.

Twitter explains that the bug occurred after a change it made last year to systems that support password resets, which means the bug has been around for months undetected. To address the issue, Twitter directly informed affected users, proactively logging them out of their open sessions across devices and prompting them to log in again. However, the company did not detail how many people were affected.

Twitter wrote in its announcement, encouraging users to Review their active open sessions Regularly from the application settings.

This issue is the latest in a long line of security incidents at the company in recent years, although it’s not as serious as some in the past — like the bug reported last month. Which exposed at least 5.4 million Twitter accounts. In this case, a vulnerability allowed threat actors to collect information on Twitter user accounts, which was then listed for sale on a cybercrime forum.

Last May, Twitter had to, too He paid $150 million in settlement With the Federal Trade Commission to use personal information users provide to secure their accounts, such as email messages and phone numbers, for ad targeting purposes. And in 2019, Twitter An error has been detected that has shared some users’ location data To partners, another also led To user data that is shared with partners. Additionally, I ran into an issue where a security researcher used a flaw in an Android app to Matching 17 million phone numbers With Twitter user accounts.

While it’s helpful for Twitter to be transparent about the errors it finds and the fixes it makes, the company’s overall cybersecurity issues are now coming under more scrutiny after A whistleblower complaint has been filed by former security chief, Peter “Mudge” Zatko in Aug.

Zatko alleged that the company was neglectful in securing its platform, citing problems including a lack of employee device security, a lack of protection around Twitter’s source code, excessive employee access to sensitive data and Twitter’s service, a number of unpatched vulnerabilities, and a lack of data encryption for some Stored data, a very large number of security incidents, and more, in addition to threats to national security.

In this context, even minor bugs like the one revealed this week may not be considered one-time errors by the company, but rather another example of broader security issues in Twitter that deserve more attention.