Twitter announced yesterday that it had fixed a software bug in its Android and iOS apps that kept users logged into active sessions following a voluntary password reset.
The bug, which might have lingered following its emergence last year, could further add to claims of poor cybersecurity that have plagued the social media platform in 2022.
‘An Incident Impacting Password Resets’
The flaw allowed Twitter users to remain logged in to their accounts across multiple devices following a voluntary password reset. Since users typically initiate a password reset following an account compromise — a stolen or lost mobile device, for example — a malicious actor could have still had access to a user’s Twitter account if the session was open.
Twitter disclosed the incident in a Sept. 21 blog post, noting that had fixed the issue and logged all potentially affected users out of active sessions. The company also said that the bug only affected the Twitter Android and iOS apps, and that web sessions were closed appropriately.
“In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions,” Twitter said. “We take our responsibility to protect your privacy very seriously and it is unfortunate this happened. While there is no action for you to take, we want to share more about the steps we’ve taken and best practices for keeping your account safe.”
According to Twitter, the bug emerged following a change to its systems that power password resets last year, which means it could have been around for months, or even a year.
As a precautionary measure, Twitter recommended that users look over their Twitter app settings and review any active open sessions regularly. “We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access,” the company said.
Twitter On A Slippery Slope
Seemingly innocuous flaws like not being logged out can open the door to bigger problems, especially when it comes to massive companies like Twitter that cater to hundreds of millions of users. This is one reason why Elon Musk suggested Twitter direct messages should be end-to-end encrypted earlier this year. Last week, a whistleblower told US Senate that Twitter had lax cybersecurity protocol and privacy practices.
Logging in and out of services can be exhausting — as a recent study from 1Password has found — but it is necessary to prevent cybersecurity risks like account hijacking. Twitter fixed a serious security issue last January where any party could obtain Twitter IDs without authentication. This allowed the theft of the data of 5.4 million Twitter users which was then sold on the dark web.
Similarly, compromised accounts can lead to other social media threats, such as a sneaky phishing scheme that coerced Instagram users into a Bitcoin investment scam in April.
Taking care of your accounts in the social media space is critical, and ensuring you are logged out of open sessions is considered basic cybersecurity practice. For more tips on staying safe online, check out our eight-step guide on cyber hygiene.