Twitter admits failing to log out users after password resets


Twitter fixed the issue that allowed accounts to stay active on multiple devices even after users changed their passwords.

According to Twitter, the vulnerability in its system meant that users who changed their password remained logged in on other devices.

“That means that if you proactively changed your password on one device but still had an open session on another device, that session may not have been closed,” the company said in a statement.

Since the bug affects cases where the password was changed voluntarily, this could have had a negative impact on users who had their accounts stolen and tried to take back control by changing their passwords.

The social media giant said that to prevent the safety of its users, Twitter logged out people who might have been affected by the vulnerability. Twitter also said that the company would directly contact people who might have been affected by the issue.

The bug has long persisted in the social networks system, as Twitter admitted that the beginning of the flaw could be traced back to last year.

“This bug was introduced after we made a change to the systems that power password resets last year,” reads the company’s statement.

The bug affected Android and iOS users and did not affect web sessions. According to Twitter, the latter was properly closed after the password reset.

The fix comes only months after news broke out that the data of 5.4 million Twitter users were for sale on the dark web.

A threat actor advertised the Twitter handles last month, thought to have been obtained thanks to a breach that the social media platform says it patched way back in January after being alerted to it by a HackerOne platform user.