Weeks after Twitter’s ex-security chief accused the corporate of cybersecurity mismanagement, Twitter has now informed its customers of a bug that didn’t shut all of a person’s energetic logged-in periods on Android and iOS after an account’s password was reset. This problem may have implications for many who had reset their password as a result of they believed their Twitter account may very well be in danger, maybe due to a misplaced or stolen system, as an illustration.
Assuming whoever had possession of the system may entry its apps, they might have had full entry to the impacted person’s Twitter account.
In a blog post, Twitter explains that it had discovered of the bug that had allowed “some” accounts to remain logged in on a number of units after a person reset their password voluntarily.
Usually, when a password reset happens, the session token that retains a person logged into the app can be revoked — however that didn’t happen on cell units, Twitter says. Net periods, nonetheless, weren’t impacted and had been closed appropriately, it famous.
Twitter explains the bug took place after a change it made final yr to the techniques that powered its password resets, which means the bug has existed for a lot of months undetected. To handle the problem, Twitter has now straight knowledgeable the affected customers, proactively logged them out of their open periods throughout units, and has prompted them to log in once more. The corporate didn’t element how many individuals had been impacted, nonetheless.
“We take our duty to guard your privateness very severely and it’s unlucky this occurred,” Twitter wrote in its announcement, the place it additionally inspired customers to review their active open sessions usually from the app’s settings.
The difficulty is the most recent in a protracted line of safety incidents on the firm lately, although it’s not as extreme as some up to now — just like the bug reported final month that had uncovered at the least 5.4 million Twitter accounts. In that case, a safety vulnerability had allowed menace actors to compile data on Twitter customers’ accounts, which had been then listed on the market on a cybercrime discussion board.
This previous Could, Twitter was additionally pressured to pay $150 million in a settlement with the Federal Commerce Fee for utilizing private data supplied by customers to safe their accounts, like emails and cellphone numbers, for advert concentrating on functions. And in 2019, Twitter disclosed a bug that had shared some customers’ location knowledge to companions and one other which additionally led to person knowledge being shared with companions. Plus, it confronted a problem the place a safety researcher had used a flaw within the Android app to match 17 million cellphone numbers with Twitter person accounts.
Whereas it’s useful that Twitter is clear in regards to the bugs it finds and the fixes it makes, the corporate’s general cybersecurity points are actually below elevated scrutiny following the whistleblower grievance filed by its former head of safety, Peiter “Mudge” Zatko in August.
Zatko alleged the corporate has been negligent in securing its platform, citing points together with a scarcity of worker system safety, lack of protections across the Twitter supply code, overbroad worker entry to delicate knowledge and the Twitter service, a lot of unpatched vulnerabilities, lack of knowledge encryption for some saved knowledge, a very excessive variety of safety incidents, and extra, in addition to threats to nationwide safety.
On this context, even lesser bugs just like the one disclosed this week might not be thought of one-off missteps by an organization, however moderately one more instance of broader safety points at Twitter that deserve extra consideration.