After its ex-security chief accused the company of mismanagement, it has now told its users of a bug that didn't close all of a user's active log-in sessions on their phones. This issue could have implications for people who reset their password because they thought their account could be at risk, for example, if their device is lost or stolen.
Whoever had possession of the device would have had full access to the user's account.
The bug that allowed some accounts to remain on multiple devices after a user reset their password was discovered by the company.
When a password is reset, the session token that keeps a user in the app is revoked, but that didn't happen on mobile devices. It noted that web sessions were closed appropriately.
The bug was discovered after a change was made to the systems that powered the password resets. In order to address the issue, the affected users have been directly informed, and have been logging out of their open sessions on all their devices. The company didn't say how many people were affected
It is unfortunate that this happened, but we take our responsibility to protect your privacy very seriously.
The issue is the latest in a long line of security incidents at the company, though it is not as serious as some in the past. In that case, threat actors were able to gain access to users accounts and sell their information on a forum.
Twitter fixes security bug that exposed at least 5.4 million accounts
In May of this year, there was a $150 million settlement with the Federal Trade Commission for the use of personal information provided by users to secure their accounts for ad targeting purposes. There was a bug that gave location data to partners and another that gave user data to partners. There was an issue where a security researcher used a flaw in the app to match 17 million phone numbers with users on the micro-blogging site.
Peiter Zatko, the company's former head of security, filed a whistle blower complaint in August, which led to increased scrutiny of the company's overall cyber security issues.
Ex-security chief accuses Twitter of cybersecurity mismanagement in an explosive whistleblower complaint
According to Zatko, the company has been negligent in securing its platform, citing issues including a lack of employee device security, lack of protections around the source code, over broad employee access to sensitive data and the lack of data encryption for some.
Even lesser bugs like the one disclosed this week may not be considered a one-off mistake by a company, but rather another example of broader security issues that deserve more attention.
What we learned when Twitter whistleblower Mudge testified to Congress