Twitter discloses it wasn’t logging users out of accounts after password resets
By Editor - Thu Sep 22, 12:34 pm
Weeks after Twitter’s ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn’t close all of a user’s active logged-in sessions on Android and iOS after an account’s password was reset. This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance. Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user’s Twitter account. In a blog post, Twitter explains that it had learned of the bug that had allowed “some” accounts to stay logged in on multiple devices after a user reset their password voluntarily. Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked — but that didn’t take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted. Twitter explains the bug came about after a change it made last year to the systems that powered its password resets, meaning the bug has existed for a number of months undetected.