Weeks after Twitter’s ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn’t close all of a user’s active logged-in sessions on Android and iOS after an account’s password was reset. This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance.
Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user’s Twitter account.
In a blog post, Twitter explains that it had learned of the bug that had allowed “some” accounts to stay logged in on multiple devices after a user reset their password voluntarily.
Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked — but that didn’t take place