OpenAI Logout Glitch: When “Log Out of All Sessions” Didn’t Log Me Out

Finding a Session Logout Flaw on OpenAI’s Platform

While using OpenAI’s services, I noticed a subtle but important issue with how sessions are managed across devices. Specifically, the “Log out of all sessions” feature on the OpenAI web platform didn’t log me out from the mobile app.

Description of the Issue

I was logged into my OpenAI account at the same time on two devices: my desktop browser (Chrome) and the OpenAI mobile app on an Android device. When I chose “Log out of all sessions” from the desktop web interface, I expected that my account would be signed out everywhere — on both desktop and mobile.

However, after about 30 minutes, I opened the mobile app and found that I was still logged in. Even after force-closing and reopening the app, it did not ask me to log in again. This showed that the mobile session remained active despite my explicit command to log out everywhere.

Steps to Reproduce

  1. Log into OpenAI on both a desktop browser and the mobile app using the same account.

  2. From the desktop browser, select “Log out of all sessions” from the account or security settings.

  3. Wait and then check the mobile app.

  4. Observe that the mobile app session is still active, allowing access without requiring re-authentication.

  5. Attempt to force-close and reopen the app; notice it does not prompt for login.

Security and Privacy Impact

This flaw falls under the category of broken authentication and session management — specifically, failure to invalidate sessions on logout:

  • Session Persistence Risk: A session stays active on devices where the user expects to be logged out, increasing risk if a device is lost, stolen, or shared.

  • User Trust Undermined: Users rely on “log out of all sessions” as a safety measure. When it doesn’t work, confidence in account security erodes.

  • Potential Unauthorized Access: Someone with access to a logged-in device could continue using the account even after the owner believes they have revoked all sessions.

Business Impact

If session invalidation doesn’t work correctly, it can:

  • Increase support tickets and complaints from concerned users.

  • Harm the platform’s reputation for security and privacy.

  • Lead to compliance issues in regions with strict data protection and security laws.

  • Raise concerns for enterprise customers relying on secure session controls.

Resolution and Follow-Up

I reported this behavior through OpenAI’s Bugcrowd program. Although the issue was identified earlier by another researcher (so my report was marked duplicate), OpenAI confirmed the bug and fixed it as of June 4, 2025.

Conclusion

This experience taught me how even minor inconsistencies in session management can have meaningful privacy implications. Users expect that “log out everywhere” really means all devices are signed out. Ensuring session invalidation works correctly is essential—not just to block attackers, but to meet user expectations and maintain trust.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more