Twitter: Our Password Reset Function Failed to Log Users Out of Devices
A password reset can be a crucial way to boot a hacker out of your account in the event you suspect a stranger has access—but that’s only if the function works.
On Wednesday, Twitter revealed(Opens in a new window) its own password-reset system has been suffering from a software bug that prevented it from logging out all user sessions on an account.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset,” the company wrote in a blog post(Opens in a new window). “ That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed.”
That’s unsettling news for anyone who initiated a password reset to secure their Twitter accounts. The company says the software bug stopped it from closing active account sessions on iOS and Android versions of the app. “Web sessions were not affected and were closed appropriately,” the company added.
In another worrisome sign, Twitter is indicating the software bug may have been around for at least nine months. In the blog post, the company wrote: “This bug was introduced after we made a change to the systems that power password resets last year.”
To address the issue, the company said: “We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again.”
The log-outs may be inconvenient for affected users, but Twitter says it’s taking the step to ensure no unauthorized users remain logged into their accounts. Users can also review(Opens in a new window) any active open sessions for their Twitter
Read more on pcmag.com
