As social networks and porn sites move towards a verified identity model, the actions of one cybersecurity researcher show that ID verification services themselves could get hacked too.

A company that verifies the identities of TikTok, Uber, and X users, sometimes by processing photographs of their faces and pictures of their drivers’ licenses, exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data, according to screenshots and data obtained by 404 Media.

The Israel-based company, called AU10TIX, offers what it describes on its website as “full-service identity verification solutions.” This includes verifying peoples’ identity documents, conducting “liveness detection” in a real-time video stream with the user, and performing age verification, where a service will predict how old someone is based on their uploaded photo. AU10TIX also includes the logos of other companies on its site, such as Fiverr, PayPal, Coinbase, LinkedIn, and Upwork, some of which confirmed to 404 Media they are active or former AU10TIX clients.

The news comes as more social networks and pornography sites move towards an identity or age verification model, in which users are required to upload their real identity documents in order to access certain services. The breach highlights that identity services could themselves become a target for hackers. The cybersecurity researcher did not distribute the data beyond providing screenshots and some data to 404 Media for verification purposes.

“My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk, and who alerted 404 Media to the exposed credentials, said.

👍Maximum Derek👍
link
fedilink
English
11
edit-2
4M

I recognized the name AU10TIX, because I half-joked on Lemmy about a potential mass doxxing of Xitter’s most vile users back in September when they announced the partnership. I assumed they’d be a target for ransomware/hackers, not that they’d just leave their admin creds out in the open.

Create a post

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

  • 1 user online
  • 60 users / day
  • 170 users / week
  • 619 users / month
  • 2.31K users / 6 months
  • 1 subscriber
  • 3.28K Posts
  • 67K Comments
  • Modlog