Twitter Discloses It Wasn't Logging Users Out of Accounts After Password Resets (techcrunch.com) 12
Weeks after Twitter's ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn't close all of a user's active logged-in sessions on Android and iOS after an account's password was reset. From a report: This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance. Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user's Twitter account. In a blog post, Twitter explains that it had learned of the bug that had allowed "some" accounts to stay logged in on multiple devices after a user reset their password voluntarily. Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked -- but that didn't take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted.
An Unreal Lack of Security. (Score:3)
I've worked for both small start-ups and established companies. Nothing in the multi-billion dollar revenue range. It was far more understandable (not acceptable) to find smaller orgs being dismissive of cybersecurity.
But Twitter isn't just a large company. They're fucking huge. As in damn near Too Big To Fail given politicians addictions to it. And this password reset bullshit is just the icing on the cake after hearing Mudge's testimony. I was damn near pulling my hair out listening to that, wondering how in the FUCK such a large company, can be such a monumental failure when it comes to cybersecurity.
I'm still beside myself. I've seen better security with garage door openers. I might as well stay beside myself. I won't have to go far when we find the predictable end result of zero punishment.
Re:An Unreal Lack of Security. (Score:5, Informative)
Most applications I have seen don't log out all active sessions on password change. The active session of the user changing the password is sometimes terminated, forcing a new login but applications supporting multiple active session don't usually log out the other sessions since the token is still valid.
Interesting point from a security stand point although. Maybe I'll implement it in the future.
Re: (Score:2)
Indeed. The reason is simple though: The bad actors responsible for this crap (very much including the CEO and the CSO or CISO) have nothing to fear. And that has to change.
They won't change (Score:3)
There's no incentive for them to give a fuck. There is rarely any real punishment for being careless with customer data.
Re: (Score:2)
Indeed. For something this gross, the very least that should happen is a personal (!) fine of unpleasant height for the CEO and CISO and a suspended prison sentence of a few months for both. Anything less will obviously have no effect.
SOP (Score:2)
Three Stooges IT Security but unlike Moe, Larry and Curly this isn't funny.
What a bunch of twits (Score:2)
Morons (Score:2)
Do these companies not even get the very _basics_ right? What abysmally incompetent people are they hiring and putting in charge? This is not even gross negligence anymore, something like this can only be intentional incompetence.
You get what you deserve (Score:1)
This is what happens when you hire non-technical managers and let them run their mouth in meetings.
"A Bug" (Score:2)