When users change their password, it should end active sessions on all devices. Due to an incorrect implementation, this did not take place on Twitter.
A flaw in Twitter’s password change process could result in sessions remaining active and usable on mobile devices even though they were still authenticated with the old password. Normally, all active sessions should be terminated when a password is changed. The company has since improved.
At first glance, the problem may not seem so serious. However, if users change their password because they suspect that strangers are using their access – Twitter has left them out in the rain and let the attackers continue. in one Blog post restricts Twitter that web sessions were not affected. But active sessions on mobile devices such as tablets or smartphones were not necessarily truncated.
The error crept in with changes to the system responsible for password resets last year, the company explains. Twitter informed the users that it could identify as potentially affected by the error. As a precaution, they were also logged out of all sessions on all devices and asked to log in again. “We realize that this might be inconvenient for some, but it was an important step in keeping their access safe and secure from potentially unwanted access,” Twitter wrote.
Safety culture in the pillory
Twitter is currently in the pillory anyway for its handling of security. Former security chief Peiter Zatko made serious allegations against the company in a complaint to the supervisory authorities. The hacker, known under the name “Mudge”, criticized the security culture at Twitter and accused the social network of always putting the company’s economic success and growth ahead of user security and data protection.