Weeks after Twitter’s former security chief accused the company of cyber security mismanagement, Twitter has now informed its users of a bug that did not close all of a user’s active login sessions on Android and iOS after an account’s password was reset. This issue could have implications for those who had reset their password because they believed their Twitter account might be at risk, perhaps due to a lost or stolen device, for example.
Assuming that whoever owned the device could access its apps, they would have full access to the affected user’s Twitter account.
IN a blog post, Twitter explains that it learned of the bug that allowed “some” accounts to remain locked on multiple devices after a user voluntarily reset their password.
Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked — but that didn’t happen on mobile devices, Twitter says. However, web sessions were not affected and were terminated properly, he noted.
Twitter explains that the flaw came after a change it made last year to its password reset systems, meaning the flaw has existed for months undetected. To address the issue, Twitter has now directly notified affected users, proactively logged them out of their open sessions across devices, and prompted them to log in again. However, the company did not provide details on how many people were affected.
“We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened,” Twitter wrote in its announcement, which also encouraged users to review their active open sessions regularly from the application settings.
The issue is the latest in a long line of security incidents at the company in recent years, though not as severe as some in the past — like the bug reported last month that exposed at least 5.4 million Twitter accounts. In that case, a security vulnerability had allowed threat actors to harvest information on Twitter user accounts, which was then listed for sale on a cybercrime forum.
Last May, Twitter was also forced to pay $150 million in a settlement with the Federal Trade Commission for using personal information provided by users to secure their accounts, such as emails and phone numbers, for ad targeting purposes. . And in 2019, Twitter discovered a bug that had shared some users’ location data with partners, and another that also led to user data being shared with partners. Plus, he faced a problem where a security researcher had used a flaw in the Android app to match 17 million phone numbers with Twitter user accounts.
While it’s helpful for Twitter to be transparent about the bugs it finds and the fixes it makes, the company’s overall cybersecurity issues are now under increased scrutiny following a whistleblower complaint filed by its former security chief, Peiter “Mudge” Zatko in August.
Zatko alleged that the company was negligent in securing its platform, citing issues including a lack of employee device security, a lack of safeguards around Twitter’s source code, widespread employee access to sensitive data and the Twitter service, a number of unaddressed vulnerabilities, lack of data encryption for some stored data, an extremely high number of security incidents and more, as well as threats to national security.
In that context, even smaller bugs like the one discovered this week may not be considered one-off mistakes by a company, but another example of Twitter’s broader security issues that deserve more attention.
