Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub
#1
[Image: yEsAsSn.jpg]


Quote:Following an internal audit, Twitter admitted today that due to a bug in its password storage mechanism it accidentally logged some users' passwords in internal logs.

Today's disclosure comes after GitHub made a similar announcement earlier this week, describing a similar incident.

Just like in the GitHub incident, the passwords were recorded in Twitter's internal server logs in their plaintext format.

Bug wrote plaintext passwords to log files
Twitter said it normally masks passwords by passing them through the bcrypt hashing function, considered an industry standard among top tech giants.

"Due to a bug, passwords were written to an internal log before completing the hashing process," a Twitter spokesperson said. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

Bleeping Computer has reached out to Twitter to inquire about the number of affected users, but the social network did not respond before this article's publication.

Twitter lets users to decide if to change passwords or not
When this happened on GitHub, the code repository portal sent out emails to all affected customers and forcibly reset passwords for all affected users.

No Twitter user has yet reported receiving such emails, but some are being forced to choose a new password. The company also published a security advisory on its site.

Twitter doesn't see this as a big security issue, arguing that its systems were never breached and that only a handful of employees might have seen the exposed passwords.

"Our investigation shows no indication of breach or misuse by anyone," Twitter said.


UPDATE [May 4, 2018]: A Twitter spokesperson told us today via email that the incident is not related in any way to the GitHub issue. A GitHub employee also confirmed to Ars Technica the two incidents have nothing to do with each other, the GitHub issue being caused by an anti-spam system, not the password hashing mechanism cited by Twitter.

SOURCE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  The Linux Foundation Defends Microsoft After GitHub Acquisition mrtrout 0 1,744 06-10-2018 , 01:26 AM
Last Post: mrtrout
  Microsoft Outbid Google in the Fight for GitHub mrtrout 0 1,918 06-07-2018 , 03:49 AM
Last Post: mrtrout
  GitLab Says It Imported 100,000 Repositories After Microsoft’s GitHub Takeover mrtrout 0 2,071 06-06-2018 , 06:22 PM
Last Post: mrtrout
  Microsoft Takes Over GitHub - UPDATE: It's Official! It’s a done deal, mrtrout 0 1,996 06-04-2018 , 10:31 PM
Last Post: mrtrout
  After Cambridge Analytica Facebook COO Sandberg admits other possible misuses tarekma7 0 1,986 04-12-2018 , 11:30 PM
Last Post: tarekma7

Forum Jump:


Users browsing this thread: 1 Guest(s)