Article 6NT01 An ID verification service that works with TikTok and X left its credentials wide open for a year

An ID verification service that works with TikTok and X left its credentials wide open for a year

by
Lawrence Bonk
from Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics on (#6NT01)

An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, as reported by 404 Media. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers' licenses, potentially opening up both to hackers.

My personal reading of this situation is that an ID Verification service provider was entrusted with people's identities and it failed to implement simple measures to protect people's identities and sensitive ID documents," Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk who originally noticed the exposed credentials, said.

The latest discovery by spiderSilk covering an incident affecting AU10TIX.

Thanks @josephfcox for covering this. https://t.co/hoiV95B6XT

- Mossab Hussein (@mossab_hussein) June 26, 2024

The set of admin credentials that were left exposed led right to a logging platform, which in turn included links to identity documents. There's even some reason to suspect that bad actors got ahold of these credentials and actually used them.

They appear to have been scooped up by malware in December 2022 and placed on a Telegram channel in March 2023, according to timestamps and messages acquired by 404 Media. The news organization downloaded the credentials and found a wealth of passwords and authentication tokens linked to someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX.

If hackers got ahold of customer data, it would include a user's name, date of birth, nationality, ID number and images of uploaded documents. It's pretty much all an internet gollum would need to steal an identity. All they would have to do is snatch up the credentials, log in and start wreaking havoc. Yikes.

AU10TIX has issued a statement on the matter, writing that the data was potentially accessible" but that it sees no evidence that such data has been exploited." The company said that impacted customers have been notified and that it's decommissioning the current operating system in favor of a new one that focuses more on security.

Some of its partners switched verification companies before this issue popped up. A spokesperson for Upwork said that it has been working with a different service provider for some time now." X, however, just signed up with AU10TIX back in September and it uses government-issued IDs to verify premium users. Others, like Fiverr and Coinbase have said they aren't aware of any data exposure, though they still work with AU10TIX.

Dumping customer data on Telegram or on the dark web has become the most popular way for hackers to do their thing. Back in late March, over 73 million AT&T passwords were leaked onto the dark web. LoanDepot experienced a similar issue this year, as did the US Department of Defense.

This article originally appeared on Engadget at https://www.engadget.com/an-id-verification-service-that-works-with-tiktok-and-x-left-its-credentials-wide-open-for-a-year-171258438.html?src=rss
External Content
Source RSS or Atom Feed
Feed Location https://www.engadget.com/rss.xml
Feed Title Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics
Feed Link https://www.engadget.com/
Feed Copyright copyright Yahoo 2024
Reply 0 comments