Twitter Password Reset Bug Exposed User Accounts

Improper Session Handling flaw after Password Reset

In This Article

Jump to a Section

    Twitter logged out some users after addressing a bug where some Twitter accounts remained logged on some mobile devices after voluntary password resets.

    "That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately," Twitter explained.

     

    Image: Twitter

    There are some potential privacy risks for Twitter users who were affected by this bug, including having their accounts accessed by others who got their hands on devices that remained logged in without the user's knowledge.

    Because of this, the company reached out to those who might have been impacted and logged them out of their accounts on all active sessions across all devices.

    "We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again," the company added

    "We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access."

     

    Twitter says it is “proactively” logging some users out as a result of the bug. The company attributed the issue to “a change to the systems that power password resets” that occurred at some point in 2021. A Twitter spokesperson declined to elaborate on when this change was made or exactly how many users are affected. “I can share that for most people, this wouldn't have led to any harm or account compromise,” the spokesperson said. 

    While Twitter states that “most people” wouldn’t have had their accounts compromised as a result, the news could be worrying for those who have used shared devices, or dealt with a lost or stolen device in the last year.

    Notably, Twitter’s disclosure of the incident comes as the company is reeling from allegations from its former head of security who had filed a whistleblower complaint accusing the company of “grossly negligent” security practices. Twitter has so far declined to address the claims in detail, citing its ongoing litigation with Elon Musk. Musk is using the whistleblower allegations in his legal case to get out of his $44 billion deal to buy Twitter.

    {jistoc}
    Was this page helpful?
    More Posts