Twitter discloses it wasn’t logging users out of accounts after password resets • TechCrunch

Weeks after Twitter’s former chief privacy officer accuse the company poorly managed network security, Twitter is now get the news the user gets an error that doesn’t close all active user login sessions on Android and iOS after the account’s password is reset. This issue can have an impact on people who have reset their password because they believe their Twitter account may be at risk, such as possibly due to a lost or stolen device.

Assuming anyone who owns the device can access its apps, they will have full access to the affected user’s Twitter account.

In a blog post, Twitter explained that it was aware of a bug that allowed “some” accounts to remain signed in across multiple devices after users arbitrarily reset their passwords.

Normally, when a password reset occurs, the session token that keeps the user logged into the app is also revoked – but that hasn’t happened on mobile devices, Twitter said. However, web sessions are not affected and are closed appropriately, it noted.

Twitter explains that the bug comes after a change it made last year to its password reset support systems, meaning the bug has been around for a number of months without being detected. To address the issue, Twitter has now notified affected users directly, actively logged them out of their open sessions across devices, and prompted them to sign back in. However, the company did not detail how many people were affected.

“We take our responsibility to protect your privacy very seriously, and it’s regrettable that this has happened,” Twitter wrote in its announcement, encouraging users to review their active open sessions regularly from the app’s settings.

The issue is the latest in a series of security incidents at the company in recent years, although it’s not as severe as some in the past – like the one reported last month. exposed at least 5.4 million Twitter accounts. In that case, a security flaw allowed threat actors to aggregate information on Twitter users’ accounts, which was then put up for sale on a cybercrime forum.

Last May, Twitter was also forced to paid $150 million in a settlement with the Federal Trade Commission to use personal information provided by users to secure their accounts, such as email and phone numbers, for ad targeting purposes. And in 2019, Twitter revealed a bug that shared the location data of some users to partners and another partner also leads to User data is shared with partners. In addition, it faced an issue where a security researcher used a vulnerability in the Android application to match 17 million phone numbers with Twitter user accounts.

While it’s helpful for Twitter to be transparent about the bugs it finds and the fixes it makes, the company’s overall cybersecurity issues are now under increased scrutiny. complaint filed by its former security chief, Peiter “Mudge” Zatko in August.

Zatko accused the company of being negligent in securing its platform, citing issues including lack of security for employees’ devices, lack of protection around Twitter’s source code, employees’ excessive access to data, and lack of security. sensitive data and Twitter services, some unpatched vulnerabilities, lack of data encryption for some stored data, excessive number of security incidents and more, as well as threats to with national security.

In this context, even fewer bugs like the one revealed this week may not be seen as a one-time mistake by one company, but as another example of broader security issues at Twitter deserves more attention.

Source link


News5h: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button