You can now find Cyber Kendra on Google News | Telegram

Twitter Fix Session Validation Bug on Password Reset

Improper Session Handling flaw after Password Reset

password resets bug on Twitter

Twitter has just fixed the password reset bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. This bug was introduced last year when Twitter made a change to its password reset systems. 

In order to protect its users, Twitter has forced logout of all the [maybe] affected users' sessions. In the blog post, Twitter wrote -

In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions.

We take our responsibility to protect your privacy very seriously and it is unfortunate this happened. While there is no action for you to take, we want to share more about the steps we’ve taken and best practices for keeping your account safe. - Twitter added

About the Bug

Twitter found that the bug in Twitter session management allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed, this is something called Improper Session Handling or OWSAP A5-Broken Access Control.

Vulnerability Details and Scenario

Here is the scenario which can describe the bug or you can read about the bug on the OWSAP page 

Description: On changing the password both session using which the user changes the password and  old sessions in any other browser or device does not expire and remains active

STEPS TO REPRODUCE:

  1. Log in to Browser A and make sure to check the 'stay logged in to this device' checkbox while logging in.
  2. From Browser B  login to your account and change your password Notice that Session on Browser A will remain active and does not expire.

IMPACT:Due to this bug, there is no way for the victim to revoke access to an attacker if the account has been already compromised. 

Twitter noted that they have directly contacted the users whoever is affected by this bug, as it force them to log out of open sessions across devices, and prompted them to log in again. 

Additionally, Twitter strongly recommends everyone to check out the controls available in their settings and review active open sessions regularly. 

In 2016 also, Twitter fixed a bug that affected its password recovery systems for a day. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts).

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.