OpenAI Logout Glitch: When “Log Out of All Sessions” Didn’t Log Me Out

 While reviewing session management behaviors on OpenAI’s platform, I came across a subtle but important flaw: the “Log out of all sessions” feature on the web version didn’t actually log me out of the OpenAI mobile app.

🔍 The Discovery

I was simultaneously logged into my OpenAI account on both the web (via Chrome on desktop) and the mobile app (on a Redmi 10 running Android 13). After choosing “Log out of all sessions” from the desktop, I expected to be signed out everywhere.

But 30 minutes later, I opened the mobile app—and I was still logged in. Even force-closing and reopening the app didn’t trigger a login prompt.

🚨 Why This Matters

This behavior reflects a failure to invalidate active sessions across devices, which falls under a known vulnerability category:
Broken Authentication and Session Management > Failure to Invalidate Session > On Logout (Client and Server-Side)

In practical terms, this could allow a session to remain active on a lost or shared device—even after a user believes they’ve logged out everywhere. It weakens the trust users place in the “log out of all sessions” safety net.

🛠️ Resolution & Acknowledgement

The issue was reported through Bugcrowd and triaged under expedited review. While OpenAI confirmed the bug had already been submitted by another researcher (hence marked as a duplicate), the underlying vulnerability has since been fixed as of June 4, 2025.

🧠 Takeaway

Even seemingly minor inconsistencies in session management can lead to serious user privacy concerns. Users deserve confidence that when they click “log out everywhere,” their sessions truly end everywhere.

Security isn’t just about stopping attackers—it’s about aligning platform behavior with user expectations.

Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more