Authenticator for X, TikTok Exposes Personal User Info for 18 Months

  /     /     /  
Publicated : 23/11/2024   Category : security


Authenticator for X, TikTok Exposes Personal User Info for 18 Months


With many popular apps, users must hand over personal information to prove their identity, and the big downside is they have no control over how that information gets processed and stored.



Swaths of personal data and documents belonging to users of the worlds most popular apps have been exposed online for well over a year now, and may have leaked to cybercriminals a while ago.
The company responsible for the leak, AU10TIX, is based in a suburb of Tel Aviv and specializes in identity verification via personal documents, biometrics, and more. Its customers include major companies like X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, Uber, and others.
Recently, a security researcher discovered exposed credentials that belonged to a network operations center manager at AU10TIX. They included the managers passwords and tokens for various accounts, including
an AU10TIX logging platform
, where the company handled data belonging to individuals whose identities it had vetted.
The logging platform data included names, birth dates, nationalities, and images of ID documents such as driver licenses and passports.
Though the researcher limited his snooping, some data fields appeared to indicate the nature and purpose of the stored data, such as a chart with values such as Impersonation_XCorp and uber-carshare-passport.
He also found proprietary data from the innards of the companys verification tech. One table, for example, contained results of live face scans, with a field rating the probability that the users face was live on a scale from 0 to 1. Others measured the authenticity of documents and photos of faces.
Crucially, the exposed credentials seem to have been sucked up by malware back in December 2022, and posted to Telegram in March 2023.
In statements to 404media, AU10TIX initially claimed that a thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded. When the publication informed the vendor that the credentials were still exposed online as of this month, 18 months after the fact, the company said it would work to take down the exposed logging system. It also claimed to have notified affected customers, and highlighted that based on our current findings, we see no evidence that such data has been exploited.
Customers today are faced with an unfortunate choice (if it can even be considered a choice). Whether it be a cryptocurrency or payments, social media or dating, in order to use popular apps today, you often must hand over extra-sensitive information and documents that prove your identity. At the same time, you dont have any control over how that information and those documents are processed and stored.
Is there no way to achieve app security without a cost to personal security?
Companies can adopt several methods for verifying identities that minimize the need to store sensitive documents and personally identifiable information, says Jason Soroko, senior vice president of product at Sectigo.
One approach is tokenization
, which involves storing tokens or hashed values representing the documents instead of the actual documents. This reduces the risk in case the storage system is compromised.
Another method uses 
zero-knowledge proofs
, a cryptographic technique that allows one party to prove to another that they know a value without conveying any information beyond the fact that they know the value. This can verify identity without exposing the actual data, Soroko explains. Additionally, decentralized identity verification leverages blockchain technology, enabling users to control their identity information and share only the necessary parts with services that require verification, thereby enhancing privacy and security.
These methods, while enhancing security and privacy, require careful implementation and ongoing management to avoid introducing new vulnerabilities.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Authenticator for X, TikTok Exposes Personal User Info for 18 Months