Weeks after Twitter’s former security chief blamed the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that does not close all active user login sessions on Android and iOS after the account password has been reset. This issue could have implications for those who reset their password because they believed their Twitter account might be at risk, perhaps due to a lost or stolen device, for example.
Assuming that anyone who owned the device could access its apps, they would have full access to the affected user’s Twitter account.
in blog post, Twitter explains that it learned of the bug that allowed “some” accounts to remain signed in on multiple devices after a user voluntarily reset their password.
Normally, when a password reset occurs, the session token that keeps the user signed in to the app is also revoked — but that didn’t happen on mobile devices, Twitter said. However, web sessions were not affected and were closed appropriately, it noted.
Twitter explains that the bug occurred after a change was made last year to the systems that drive password resets, meaning the bug had existed for several months without being noticed. To address the issue, Twitter has now directly informed affected users, proactively logged them out of their open sessions on various devices and prompted them to log back in. However, the company did not specify how many people were affected.
“We take our responsibility to protect your privacy very seriously and it’s unfortunate that this happened,” Twitter wrote in its message, where it also encouraged users to view your active open sessions regularly from the application settings.
The issue is the latest in a long line of security incidents at the company in recent years, though it’s not as serious as some in the past — like the bug reported last month which revealed at least 5.4 million Twitter accounts. In this case, a security vulnerability allowed threat actors to compile information about Twitter users’ accounts, which were then advertised for sale on a cybercrime forum.
Last May, Twitter was also forced to do so paid $150 million in settlement with the Federal Trade Commission to use personal information provided by users to protect their accounts, such as email and phone numbers, for ad targeting purposes. And in 2019, Twitter revealed a bug that shared the location data of some users of partners and another who also led to user data that is shared with partners. It also ran into an issue where a security researcher used a flaw in the Android app to corresponds to 17 million phone numbers with Twitter user accounts.
While it’s helpful for Twitter to be transparent about the bugs it finds and the fixes it makes, the company’s overall cybersecurity issues are now under increased scrutiny after whistleblower complaint filed by former security chief Petar “Mudge” Zatko in August.
Zatko alleged that the company was negligent in securing its platform, citing issues including a lack of security on employees’ devices, a lack of safeguards around Twitter’s source code, excessive employee access to sensitive data and the Twitter service, a number of unpatched vulnerabilities, lack of data encryption for some stored data, excessive number of security incidents and others, as well as threats to national security.
In that context, even smaller bugs like the one disclosed this week may not be considered one-off mistakes by a company, but rather another example of broader security issues at Twitter that deserve more attention .