Twitter discloses it wasn’t logging users out of accounts after password resets

Weeks after Twitter’s ex-security chief accused the corporate of cybersecurity mismanagement, Twitter has now informed its customers of a bug that didn’t shut all of a person’s energetic logged-in periods on Android and iOS after an account’s password was reset. This difficulty may have implications for individuals who had reset their password as a result of they believed their Twitter account might be in danger, maybe due to a misplaced or stolen system, as an example.

Assuming whoever had possession of the system may entry its apps, they’d have had full entry to the impacted person’s Twitter account.

In a blog post, Twitter explains that it had discovered of the bug that had allowed “some” accounts to remain logged in on a number of gadgets after a person reset their password voluntarily.

Sometimes, when a password reset happens, the session token that retains a person logged into the app can also be revoked — however that didn’t happen on cell gadgets, Twitter says. Internet periods, nevertheless, weren’t impacted and had been closed appropriately, it famous.

Twitter explains the bug took place after a change it made final yr to the methods that powered its password resets, which means the bug has existed for numerous months undetected. To handle the difficulty, Twitter has now immediately knowledgeable the affected customers, proactively logged them out of their open periods throughout gadgets and prompted them to log in once more. The corporate didn’t element how many individuals had been impacted, nevertheless.

“We take our duty to guard your privateness very critically and it’s unlucky this occurred,” Twitter wrote in its announcement, the place it additionally inspired customers to review their active open sessions often from the app’s settings.

The difficulty is the newest in an extended line of safety incidents on the firm in recent times, although it’s not as extreme as some previously — just like the bug reported final month that had uncovered no less than 5.4 million Twitter accounts. In that case, a safety vulnerability had allowed risk actors to compile data on Twitter customers’ accounts, which had been then listed on the market on a cybercrime discussion board.

This previous Might, Twitter was additionally compelled to pay $150 million in a settlement with the Federal Commerce Fee for utilizing private data supplied by customers to safe their accounts, like emails and cellphone numbers, for advert concentrating on functions. And in 2019, Twitter disclosed a bug that had shared some customers’ location knowledge to companions, and one other which additionally led to person knowledge being shared with companions. Plus, it confronted a difficulty the place a safety researcher had used a flaw within the Android app to match 17 million cellphone numbers with Twitter person accounts.

Whereas it’s useful that Twitter is clear concerning the bugs it finds and the fixes it makes, the corporate’s total cybersecurity points are actually underneath elevated scrutiny following the whistleblower criticism filed by its former head of safety, Peiter “Mudge” Zatko in August.

Zatko alleged the corporate has been negligent in securing its platform, citing points together with a scarcity of worker system safety, lack of protections across the Twitter supply code, overbroad worker entry to delicate knowledge and the Twitter service, numerous unpatched vulnerabilities, lack of information encryption for some saved knowledge, an excessively excessive variety of safety incidents, and extra, in addition to threats to nationwide safety.

On this context, even lesser bugs just like the one disclosed this week is probably not thought of one-off missteps by an organization, however somewhat one more instance of broader safety points at Twitter that deserve extra consideration.