Weeks after Twitter’s ex-security chief accused the company of cybersecurity mismanagement, Twitter has now done so informed its users about a bug that didn’t close all active logged-in sessions of a user on Android and iOS after resetting an account’s password. This issue could impact those who reset their password because they believed their Twitter account might be compromised, for example due to a lost or stolen device.
Assuming anyone who owned the device could access their apps, they would have had full access to the affected user’s Twitter account.
in the a blog post, Twitter says it learned of the bug that allowed “some” accounts to remain signed in across devices after a user voluntarily reset their password.
Typically, resetting a password also revokes the session token that keeps a user logged in to the app — but that didn’t happen on mobile, Twitter says. However, web sessions were not affected and have been closed accordingly, it said.
Twitter explains that the bug appeared after a change made to the systems that reset its passwords last year, meaning the bug has existed undetected for a few months. To address the issue, Twitter has now notified affected users directly, proactively logged them out of their open sessions across devices, and prompted them to log back in. However, the company did not say how many people were affected.
“We take our responsibility to protect your privacy very seriously and it is unfortunate that this has happened,” Twitter wrote in its announcement, where it also encouraged users to do so check their active open sessions regularly from the settings of the app.
The problem is the latest in a long line of security incidents at the company in recent years, although it’s not as severe as some in the past — like the bug reported last month that exposed at least 5.4 million Twitter accounts. In this case, a vulnerability allowed attackers to compile information about Twitter users’ accounts, which was then offered for sale on a cybercrime forum.
Last May, Twitter was also forced to pay $150 million in a settlement with the Federal Trade Commission for using users’ personal information to secure their accounts, such as email addresses and phone numbers, for targeted advertising purposes. And in 2019, Twitter revealed a bug that had leaked some users’ location data to partners, and another that also resulted in users’ data being shared with partners. It also faced an issue where a security researcher exploited a flaw in the Android app to match 17 million phone numbers to Twitter user accounts.
While it helps that Twitter is transparent about the bugs it found and the fixes it made, the company’s overall cybersecurity issues are now coming under increased scrutiny after former security chief Peiter “Mudge” Zatko filed a whistleblower complaint in August.
Zatko claimed the company has been lax in securing its platform, citing issues such as poor employee device security, lack of safeguards around Twitter source code, excessive employee access to sensitive data and the Twitter service, a number of unpatched vulnerabilities, deficiency of data encryption for some stored data, an excessive number of security incidents and more, as well as threats to national security.
In this context, even minor bugs like the one revealed this week may not be viewed as one-off company missteps, but as another example of broader security issues at Twitter that deserve more attention.
#Twitter #announces #users #logged #accounts #password #resets
Leave a Comment