Twitter failed to log you out of all devices after password resets

by | Sep 22, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Twitter logged out some users after addressing a bug where some Twitter accounts remained logged on some mobile devices after voluntary password resets.

 

“That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately,” Twitter explained.

There are some potential privacy risks for Twitter users who were affected by this bug, including having their accounts accessed by others who got their hands on devices that remained logged in without the user’s knowledge.

Because of this, the company reached out to those who might have been impacted and logged them out of their accounts on all active sessions across all devices.

“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again,” the company added

“We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

In July, Twitter was hit by a data breach after threat actors put up for sale a database of phone numbers and email addresses linked to 5.4 million Twitter accounts stolen in December 2021. 

The vulnerability the attacker used to collect the data is one disclosed to Twitter through HackerOne on January 1st and fixed on January 13th, as first reported by Restore Privacy

BleepingComputer verified with some of the Twitter users listed in a small sample of data shared by the hacker that the leaked private info (email addresses and phone numbers) was accurate.

One month later, Twitter confirmed the reports, saying the threat actor used the zero-day vulnerability patched in January to collect private user information. 

As part of the disclosure, Twitter told BleepingComputer that they had begun sending out notifications to alert impacted users that the data breach exposed their phone numbers or email address.

Since July, hacked verified Twitter accounts are also being used to send fake but well-written suspension messages that attempt to steal other verified users’ credentials.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This