Twitter admits that after password resets, users weren’t being logged out of their accounts

Twitter has informed its users of a bug that didn’t close all of a user’s active logged-in sessions on Android and iOS after a password reset, just weeks after the company’s former security chief accused the company of cybersecurity mismanagement. People who have recently changed their Twitter password because they fear for the security of their account may be affected by this bug.

If the person in possession of the device had the ability to use its applications, they would have had complete access to the affected user’s Twitter account.

Twitter announced the discovery of the bug that allowed “some” accounts to remain logged in on multiple devices after the user voluntarily reset their password in a blog post.

Twitter claims that, on mobile devices, the session token that would normally be revoked whenever a user resets their password was not revoked. However, it emphasised that there was no effect on web sessions, which ended normally.

According to Twitter, the flaw appeared after the company updated the infrastructure that handled password resets last year. This means the flaw has likely been present for quite some time without being noticed. Twitter has proactively logged affected users out of all open sessions across all devices, informed them directly, and requested that they log in again. However, the company did not provide information about how many people were affected.

Twitter said in a statement that it “takes our responsibility to protect your privacy very seriously and it is unfortunate this happened,” and that users should check their app’s settings periodically to see which sessions are still active.

This is the latest in a series of security incidents at the company over the past few years, though it is not as serious as some of the previous incidents, such as the bug discovered last month that exposed at least 5.4 million Twitter accounts. Due to a security flaw, malicious actors were able to gather information on a large number of Twitter accounts, which were then put up for sale on a dark web marketplace.

Twitter settled with the Federal Trade Commission in May for $150 million over its use of account holders’ personal information for ad targeting, including email addresses and phone numbers. Moreover, in 2019, Twitter revealed two bugs, one of which led to the sharing of user data with partners (location information in this case), and the other of which did not. As an added complication, a security researcher had exploited a hole in the Android app to link 17 million phone numbers to their respective Twitter accounts.

As a result of the whistleblower complaint filed in August by Twitter’s former head of security, Peiter “Mudge” Zatko, the company’s overall cybersecurity issues are under increased scrutiny, which is why it’s helpful that Twitter is transparent about the bugs it finds and the fixes it implements.

Zatko claimed the company was careless about protecting its platform, citing numerous vulnerabilities, unpatched holes, a lack of data encryption for some stored information, an excessive number of security incidents, and even threats to national security as evidence.

Considered in this light, the relatively minor bug that was disclosed this week may not be an isolated incident but rather indicative of larger, more systemic problems with Twitter’s security that require more investigation.