By all accounts, Twitter did the right thing here. They’ve owned up to it are advising people to change their passwords. They seem pretty open about the whole thing so far. This looks like an “honest bug.”
lots of frameworks will go ahead and log the entire request params hash by default, and while many will automatically filter fields with “password” in the name, not all do! Who knows if this is it, but there are certainly a bunch of ways with infinite middleware layers, dozens of intermediary proxies handling request data, etc.
This link is more useful: https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
By all accounts, Twitter did the right thing here. They’ve owned up to it are advising people to change their passwords. They seem pretty open about the whole thing so far. This looks like an “honest bug.”
@tptacek even agrees with Dan Kaminsky about it: https://twitter.com/tqbf/status/992202949018431491
I mean sure lets say it’s an honest bug. How was this even a possible bug?
lots of frameworks will go ahead and log the entire request params hash by default, and while many will automatically filter fields with “password” in the name, not all do! Who knows if this is it, but there are certainly a bunch of ways with infinite middleware layers, dozens of intermediary proxies handling request data, etc.
somebody accidentally left a log statement somewhere while testing something and it made it into a pull request would be my guess
I hope that they provide some insight into that.
Maybe someone at Twitter saw the similar GitHub issues a few days ago and thought to audit their logs?
My guess is that both Twitter and GitHub saw the GDPR deadline looming and decided to audit their estates.
In the last week I got a message like this from both twitter and github. I am happy I started using a password manager and random passwords.