Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Twitter Logs Out Some Users Due to Security Issue Related to Password Resets

Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.

The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.

Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.

The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.

“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explained.

The company said users do not have to take any action — except to log back into their account if they were signed out — and noted that web sessions were not impacted. It explained that the bug was introduced last year as a result of a change to systems powering password resets.

In August, the social media giant admitted that a vulnerability in its software had exposed the identities of anonymous account owners — some users, such as human rights activists, might not want to disclose their identities for security reasons.

The confirmation came following reports of 5.4 million users’ data being offered for sale. Twitter said at the time that the vulnerability was patched earlier this year, but it was likely exploited before it was fixed.

Twitter has come under fire after its former security chief Peiter Zatko brought to light some major issues. He said the social media giant has ignored significant user data protection problems, accusing executives of putting profit ahead of security.

The company was also recently ordered to pay a $150 million penalty for failing to protect the privacy of users’ data.

Related: Twitter Says it Removes 1 Million Spam Accounts a Day

Related: Musk Ditches Twitter Deal, Triggering Defiant Response

Related: Twitter Users Can Now Secure Accounts With Multiple Security Keys

Related: Whistleblower: China, India Had Agents Working for Twitter

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...