September 22, 2022 – Twitter has confirmed it recently fixed a security issue that allowed accounts to remain logged in from multiple devices after a voluntary password reset.
To ensure the safety and privacy of users who might have been affected by the bug, Twitter logged them out of active sessions, according to a statement posted on Wednesday. Twitter called the incident “unfortunate”, saying the social networking firm takes its responsibility to protect user privacy “very seriously”. The statement did not lay out any instructions for users, but informed them of the steps the company has taken to ensure the safety of their accounts.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset,” said Twitter. “That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed.”
We fixed a bug that didn't close all active logged in sessions on Android and iOS after an account's password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.
For more details on what happened: https://t.co/OmjLKOe5bs
— Support (@Support) September 21, 2022
Web sessions, however, were not affected and were closed appropriately. The bug was introduced last year after Twitter made a change to the systems that power password resets, according to the statement.
“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again. We realise this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”
Twitter has been under intense scrutiny since former security chief turned whistleblower Peiter Zatko’s complaint regarding vulnerabilities in the firm’s security infrastructure went public. Zatko, who was fired by the company in January, testified before the Senate Judiciary Committee on September 13.
Besides claiming Twitter staff have excessive access to sensitive user data, the whistleblower levelled allegations of inadequate security measures to protect user data and privacy, and foreign intelligence interventions at the firm. According to Zatko, Twitter was forced to employ an Indian government’s agent as well.
Zatko filed his complaint with the US Securities and Exchange Commission (SEC), Department of Justice (DOJ) and the Federal Trade Commission (FTC) in July. Later, they were published by The Washington Post and CNN on August 23, prompting heated discussions on Twitter’s handling of personal user data, privacy measures, and unprotected information systems.
The complaint has also rattled the firm in its continuing $44 billion acquisition dispute in the court with Tesla CEO Elon Musk, who backed out of his proposed deal in April, accusing company executives of misleading him about the number of spam and bot accounts on the platform.
