An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, as reported by 404 Media. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers’ licenses, potentially opening up both to hackers.
“My personal reading of this situation is that an ID Verification service provider was entrusted with people’s identities and it failed to implement simple measures to protect people’s identities and sensitive ID documents,” Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk who originally noticed the exposed credentials, said.
The set of admin credentials that were left exposed led right to a logging platform, which in turn included links to identity documents. There’s even some reason to suspect that bad actors got ahold of these credentials and actually used them.
They appear to have been scooped up by malware in December 2022 and placed on a Telegram channel in March 2023, according to timestamps and messages acquired by 404 Media. The news organization downloaded the credentials and found a wealth of passwords and authentication tokens linked to someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX.
If hackers got ahold of customer data, it would include a user’s name, date of birth, nationality, ID number and images of uploaded documents. It’s pretty much all an internet gollum would need to steal an identity. All they would have to do is snatch up the credentials, log in and start wreaking havoc. Yikes.
[…]
Source: An ID verification service that works with TikTok and X left its credentials wide open for a year
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft