Twitter: Our Password Reset Function Failed to Log Users Out of Devices

A password reset can be a crucial way to boot a hacker out of your account in the event you suspect a stranger has access—but that’s only if the function works. 

On Wednesday, Twitter revealed(Opens in a new window) its own password-reset system has been suffering from a software bug that prevented it from logging out all user sessions on an account. 

“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset,” the company wrote in a blog post(Opens in a new window). “ That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed.” 

That’s unsettling news for anyone who initiated a password reset to secure their Twitter accounts. The company says the software bug stopped it from closing active account sessions on iOS and Android versions of the app. “Web sessions were not affected and were closed appropriately,” the company added.

In another worrisome sign, Twitter is indicating the software bug may have been around for at least nine months. In the blog post, the company wrote: “This bug was introduced after we made a change to the systems that power password resets last year.” 

To address the issue, the company said: “We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again.” 

The log-outs may be inconvenient for affected users, but Twitter says it’s taking the step to ensure no unauthorized users remain logged into their accounts. Users can also review(Opens in a new window) any active open sessions for their Twitter account, and selectively shut them down, if necessary. 

Recommended by Our Editors

In a statement, a Twitter spokesperson said: “I can’t share exactly when the bug was introduced. However, I can share that for most people, this wouldn’t have led to any harm or account compromise. We’ve logged people out as a precaution.” 

Twitter disclosed the problem when a whistleblower alleges the company is trying to cover up major security problems at the social media platform. According to Peiter “Mudge” Zatko, Twitter’s former head of security, the company has major gaps in its IT systems when it comes to monitoring and stopping the security threats facing the platform.  

But the company has denied the allegations from Zatko. “Security and privacy have long been company-wide priorities at Twitter and will continue to be,” Twitter told PCMag last month.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0