Weeks after Twitter’s former safety chief accused the corporate of mishandling cybersecurity, Twitter has now informed its customers of a bug that didn’t shut all of a consumer’s lively logged-in classes on Android and iOS after an account’s password was reset. This subject may have implications for individuals who had reset their password as a result of they thought their Twitter account is perhaps in danger, maybe because of a misplaced or stolen gadget, for instance.
Assuming whoever had entry to the gadget was in a position to entry its apps, they’d have had full entry to the affected consumer’s Twitter account.
IN a blog post, Twitter explains that it had found the bug that allowed “sure” accounts to stay signed in on a number of gadgets after a consumer voluntarily reset their password.
Usually, when a password reset happens, the session token that retains a consumer logged in to the app can be revoked — however that did not occur on cellular gadgets, Twitter mentioned. Nevertheless, internet classes weren’t affected and had been closed appropriately, it famous.
Twitter explains that the bug occurred after a change it made final yr to the programs that powered its password resets, that means the bug went undetected for various months. To deal with the problem, Twitter has now immediately notified the affected customers, proactively logged them out of their open classes throughout gadgets and prompted them to log again in. Nevertheless, the corporate didn’t specify how many individuals had been affected.
“We take our duty to guard your privateness very critically and it’s unlucky that this occurred,” Twitter wrote in its announcement, the place it additionally inspired customers to review their active open sessions recurrently from the app’s settings.
The issue is the most recent in an extended line of safety incidents on the firm in recent times, although not as critical as some previously — just like the bug reported final month that had uncovered no less than 5.4 million Twitter accounts. In that case, a safety vulnerability had allowed menace actors to reap data on Twitter customers’ accounts, which had been then listed on the market on a cybercrime discussion board.
In Might, Twitter was additionally pressured to pay $150 million in a settlement with the Federal Commerce Fee for utilizing private data from customers to safe their accounts, reminiscent of e-mail and cellphone numbers, for advert concentrating on. And in 2019, Twitter disclosed a bug that had shared some customers’ location knowledge with companions, and one other that additionally led to consumer knowledge being shared with companions. Moreover, it confronted a difficulty the place a safety researcher had used a bug within the Android app to match 17 million cellphone numbers with Twitter consumer accounts.
Whereas it is useful that Twitter is clear concerning the bugs it finds and the fixes it makes, the corporate’s total cybersecurity woes at the moment are below elevated scrutiny following a whistleblower grievance filed by its former chief safety officer, Peiter “Mudge” Zatko, in August .
Zatko alleged that the corporate has been negligent in securing its platform, citing points together with a scarcity of safety for workers’ gadgets, a scarcity of safety round Twitter’s supply code, extreme worker entry to delicate knowledge and the Twitter service, various unpatched vulnerabilities, lack of information encryption for some saved knowledge, an extreme variety of safety incidents and extra, in addition to threats to nationwide safety.
On this context, even smaller bugs just like the one disclosed this week can’t be thought-about remoted missteps by an organization, however moderately one other instance of broader safety issues at Twitter that deserve extra consideration.