Weeks after Twitter's ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn't close all of a user's active logged-in sessions on Android and iOS after an account's password was reset. This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance.
Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user's Twitter account.
In a blog post, Twitter explains that it had learned of the bug that had allowed "some" accounts to stay logged in on multiple devices after a user reset their password voluntarily.
Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked -- but that didn't take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted.
Twitter explains the bug came about after a change it made last year to the systems that powered its password resets, meaning the bug has existed for a number of months undetected. To address the issue, Twitter has now directly informed the affected users, proactively logged them out of their open sessions across devices and prompted them to log in again. The company didn't detail how many people were impacted, however.
"We take our responsibility to protect your privacy very seriously and it is unfortunate this happened," Twitter wrote in its announcement, where it also encouraged users to review their active open sessions regularly from the app's settings.
The issue is the latest in a long line of security incidents at the company in recent years, though it is not as severe as some in the past -- like the bug reported last month that had exposed at least 5.4 million Twitter accounts. In that case, a security vulnerability had allowed threat actors to compile information on Twitter users' accounts, which were then listed for sale on a cybercrime forum.
This past May, Twitter was also forced to pay $150 million in a settlement with the Federal Trade Commission for using personal information provided by users to secure their accounts, like emails and phone numbers, for ad targeting purposes. And in 2019, Twitter disclosed a bug that had shared some users' location data to partners, and another which also led to user data being shared with partners. Plus, it faced an issue where a security researcher had used a flaw in the Android app to match 17 million phone numbers with Twitter user accounts.
While it's helpful that Twitter is transparent about the bugs it finds and the fixes it makes, the company's overall cybersecurity issues are now under increased scrutiny following the whistleblower complaint filed by its former head of security, Peiter “Mudge” Zatko in August.
Zatko alleged the company has been negligent in securing its platform, citing issues including a lack of employee device security, lack of protections around the Twitter source code, overbroad employee access to sensitive data and the Twitter service, a number of unpatched vulnerabilities, lack of data encryption for some stored data, an overly high number of security incidents, and more, as well as threats to national security.
In this context, even lesser bugs like the one disclosed this week may not be considered one-off missteps by a company, but rather yet another example of broader security issues at Twitter that deserve more attention.