Twitter has just fixed the password reset bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. This bug was introduced last year when Twitter made a change to its password reset systems.
In order to protect its users, Twitter has forced logout of all the [maybe] affected users' sessions. In the blog post, Twitter wrote -
In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions.
We take our responsibility to protect your privacy very seriously and it is unfortunate this happened. While there is no action for you to take, we want to share more about the steps we’ve taken and best practices for keeping your account safe. - Twitter added
About the Bug
Twitter found that the bug in Twitter session management allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed, this is something called Improper Session Handling or OWSAP A5-Broken Access Control.
Vulnerability Details and Scenario
Here is the scenario which can describe the bug or you can read about the bug on the OWSAP page
Description: On changing the password both session using which the user changes the password and old sessions in any other browser or device does not expire and remains activeSTEPS TO REPRODUCE:
- Log in to Browser A and make sure to check the 'stay logged in to this device' checkbox while logging in.
- From Browser B login to your account and change your password Notice that Session on Browser A will remain active and does not expire.
IMPACT:Due to this bug, there is no way for the victim to revoke access to an attacker if the account has been already compromised.
Twitter noted that they have directly contacted the users whoever is affected by this bug, as it force them to log out of open sessions across devices, and prompted them to log in again.
Additionally, Twitter strongly recommends everyone to check out the controls available in their settings and review active open sessions regularly.
In 2016 also, Twitter fixed a bug that affected its password recovery systems for a day. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts).