{ "id": "bc0ad2b2-4518-4931-84ba-aeb40f3537b0", "created_at": "2026-04-06T00:13:06.53333Z", "updated_at": "2026-04-10T03:36:47.755265Z", "deleted_at": null, "sha1_hash": "f6d63b008049144c47e5a836edd4e7a27154bf1b", "title": "The security pitfalls of social media sites offering ID-based authentication", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74443, "plain_text": "The security pitfalls of social media sites offering ID-based\r\nauthentication\r\nBy Jonathan Munshaw\r\nPublished: 2023-09-28 · Archived: 2026-04-05 17:25:46 UTC\r\nThe security pitfalls of social media sites offering ID-based authentication\r\nThursday, September 28, 2023 14:00\r\nWelcome to this week’s edition of the Threat Source newsletter.\r\nSince Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main\r\nsticking points has been how many bot accounts are on the platform and how that potentially affects advertising\r\nrevenue and user counts.\r\nIn the latest advancement in the alleged fight against bots, X recently launched a government ID-based\r\nauthentication process available to its paid premium users. The social media platform is partnering with a third-party security company to provide advanced, faster support to make it more difficult for others to impersonate the\r\nuser.\r\nThe setup process says it involves the user taking a picture with their computer’s camera with their government-issued ID. According to X’s Verification Policy, the third-party company only keeps the provided picture for as\r\nlong as it takes to verify the provided information, and any ID images are only kept for 72 hours. The information\r\nderived from the submitted pictures is stored for 30 days by the third party in the name of providing users “an\r\nopportunity to appeal a verification decision and for X to review your appeal.”\r\nMeta, Facebook and Instagram’s parent company, has been rolling out a similar program called Meta Verified that\r\nalso asks users to submit photos of a government ID and pay a subscription fee to receive “account verification\r\nwith impersonation protections and access to increased visibility and support.”\r\nTaken at face value, X and Meta’s retention policies for these provided images of IDs seem fine. The main issue\r\nfor me is I don’t really see what the concrete benefits here are.\r\nOn X, submitting the ID information and paying for the premium subscription only says it provides faster support,\r\nand an additional verification badge on a user’s account along with the now-infamous blue checkmark. The option\r\nis not available to business or organizational accounts, which seems like it’d be the space most ripe for\r\nimpersonation — I’ve certainly observed my fair share of Talos-impersonated accounts on that platform where\r\nsomeone tried passing as our organization.\r\nX is also saying it will only look into future benefits for this verification program, which “may explore additional\r\nmeasures, such as ensuring users have access to age-appropriate content and protecting against spam and\r\nhttps://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/\r\nPage 1 of 4\n\nmalicious accounts.” The service still isn’t offered in the EU and U.K., either, presumably because of the stricter\r\ndata privacy laws in those regions.\r\nWhen these verification procedures are in place, there’s no guarantee they work, either. My sister-in-law had her\r\nInstagram/Meta account taken over by a cryptocurrency spammer last year, and even when she submitted a 360-\r\ndegree selfie and images of her government-issued ID to Instagram, they denied her claim that her account was\r\nhacked, and to this day it’s still sending cryptocurrency spam to her family members even though she’s created a\r\nnew account. Her appeal was not accepted by the company, either.\r\nThat’s one very specific case, I know, but if I’m going to start sending these companies with dubious security\r\nhistories pictures of my driver’s license, I’m going to need a bit more than promises of future features and vague\r\nsupport promises before I’m sold on this method of multi-factor authentication.\r\nThe one big thing\r\nGoogle Chrome users should update their browsers as soon as possible after the company disclosed multiple,\r\nserious vulnerabilities. Google initially disclosed CVE-2023-4863 as a heap buffer overflow in the WebP image\r\nformat in Chrome. However, on Wednesday, it released a new advisory with CVE-2023-5129 identifying that the\r\nvulnerability actually existed in libwebp, meaning it affects multiple applications and not just Chrome. The\r\nupdated advisory also elevated the severity score to a maximum 10 out of 10. This week, Talos also disclosed\r\nCVE-2023-3421, a use-after-free vulnerability that affects Chrome. An attacker could exploit this vulnerability by\r\ntricking the target into visiting a specially crafted HTML web page.\r\nWhy do I care?\r\nChrome is a very popular web browser, and its Chromium open-source version serves as the basis for many other\r\nbrowsing software. The fact that critical WebP vulnerability is particularly notable because WebP is the new\r\ndefault file format that most images use when  processed in Chrome. According to the advisory, “With a\r\nspecially crafted WebP lossless file, libwebp may write data out of bounds to the heap,” if an attacker exploits\r\nCVE-2023-5129.\r\nSo now what?\r\nThe advice here is pretty simple — update your Google Chrome if you haven’t already!\r\nTop security headlines of the week\r\nMGM casinos went back online last week after 10 days due to a ransomware attack. The company’s casinos\r\nand hotels were able to fix all issues pertaining to guest services and the electronic slot machines that had been\r\ntaken down due to the attack. One estimate suggests the outage may have cost the company upward of $80\r\nmillion. The Scattered Spider threat actor is taking credit for the attack, partnering with known ransomware\r\nmagnate ALPHV. Security researchers believe Scattered Spider is actually a hacking group that calls itself Star\r\nFraud. New research presented at LABScon last week also stated that the group infiltrated MGM and Caesars,\r\nanother casino manager, after gaining access to Okta authentication servers. (Washington Post, Associated Press)\r\nhttps://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/\r\nPage 2 of 4\n\nA hacking group claims to have breached “all of Sony [SIC] Systems” and is reportedly selling stolen data on\r\nthe dark web. A new group called Ransomed.vc is taking credit for the alleged attack and says it accessed more\r\nthan 6,000 files from the tech giant known for producing the PlayStation video game console. Sony says it is still\r\ninvestigating the group’s claims. Despite the name, Ransomed.vc is actually an extortion group and does not have\r\nits own encryptor. Instead, it plans to sell the data on the dark web for $2.5 million. However, other threat actors\r\nhave since stepped up to also take credit for the attack, leaving exact attribution in doubt. Another threat actor\r\ncalling themselves MajorNelson says they “leaked for free\" a 2.4 GB compressed archive that contains 3.14 GB of\r\nuncompressed data it claims belongs to Sony. (Bleeping Computer, Kotaku)\r\nA new ransomware-as-a-service syndicate ShadowSyndicate is reportedly operating a massive network of\r\nservers that’s connected to other large ransomware families. Security researchers say the group has potential ties\r\nto the ALPHV ransomware group and other ransomware families like Clop, Play, Royal and Cactus. A new report\r\noutlines dozens of systems that ShadowSyndicate controls, including 52 containing the group’s secure shell (SSH)\r\nfingerprint it uses as Cobalt Strike beacons to manage and coordinate its various malware campaigns. It’s\r\ncurrently unclear if ShadowSyndicate is truly a ransomware-as-a-service group or more of an initial access broker.\r\n(DarkReading, SC Magazine)\r\nCan’t get enough Talos?\r\nTalos Takes Ep. #155: How Talos helped defend BlackHat's network in Vegas\r\nBeers with Talos Ep. #139: Who is Jacques Wagon?\r\nDecipher Security Podcast Source Code 9/22\r\nICS protocol coverage using Snort 3 service inspectors\r\n10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome\r\nUpcoming events where you can find Talos\r\nGrace Hopper Celebration (Sept. 26 - 29)\r\nOrlando, Florida\r\nCaitlin Huey, Susan Paskey and Alexis Merritt present a \"Level Up Lab\" titled \"Don’t Fail Knowledge\r\nChecks: Accelerating Incident Response with Threat Intelligence.\" Participate in several fast-paced\r\nactivities that emphasize the importance of threat intelligence in security incident investigations.\r\nAttendees will act as incident responders investigating a simulated incident that unfolds throughout this\r\nsession. Periodic checkpoints will include discussions that highlight how incident response and threat\r\nintelligence complement each other during an active security investigation.\r\nATT\u0026CKcon 4.0 (Oct. 24 - 25)\r\nMcLean, Virginia\r\nNicole Hoffman and James Nutland discuss the MIRE ATT\u0026CK framework in “One Leg to Stand on:\r\nAdventures in Adversary Tracking with ATT\u0026CK.” Even though ATT\u0026CK has become an industry\r\nstandard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of\r\nhttps://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/\r\nPage 3 of 4\n\nreports and blogs without any context never to be seen again after dissemination. This is not useful for\r\nintelligence producers or consumers. In this presentation, Nicole and James will show analysts how to\r\nuse ATT\u0026CK as a guideline for creating a contextual knowledge base for adversary tracking.\r\nmisecCON (Nov. 17)\r\nLansing, Michigan\r\nTerryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to\r\nconduct analysis, learning from his years of experience (and mishaps). He will speak about the\r\neveryday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk\r\ncovers topics such as planning, finding evil, recording findings, correlation and creating your own\r\ntimelines.\r\nMost prevalent malware files from Talos telemetry over the past week\r\nSHA 256: e2cdf48bc6741afd7aba54d7c0b30401d2d6dd06138979ca73f3167915bf22b3\r\nMD5: eba4ad9540713d5956ab0b6a566c1487\r\nTypical Filename: webnavigatorbrowser.exe\r\nClaimed Product: WebNavigatorBrowser\r\nDetection Name: Win64:WebNav.26k0.rlsync.Talos\r\nSHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647\r\nMD5: bbcf7a68f4164a9f5f5cb2d9f30d9790\r\nTypical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir\r\nClaimed Product: N/A\r\nDetection Name: Win.Dropper.Scar::1201\r\nSHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa\r\nMD5: e9a6b1346d1a2447cabb980f3cc5dd27\r\nTypical Filename: профиль 10 класс.exe\r\nClaimed Product: N/A\r\nDetection Name: Application_Blocker\r\nSHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91\r\nMD5: 7bdbd180c081fa63ca94f9c22c457376\r\nTypical Filename: c0dwjdi6a.dll\r\nClaimed Product: N/A\r\nDetection Name: Trojan.GenericKD.33515991\r\nSource: https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/\r\nhttps://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/" ], "report_names": [ "threat-source-newsletter-sept-28-2023" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adf68b66-8287-44de-9cdc-3277508a8126", "created_at": "2023-11-05T02:00:08.082461Z", "updated_at": "2026-04-10T02:00:03.400457Z", "deleted_at": null, "main_name": "RansomVC", "aliases": [ "Ransomed.vc" ], "source_name": "MISPGALAXY:RansomVC", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "eae4b6c4-8a61-4303-becc-b11f00b5bfda", "created_at": "2024-02-22T02:00:03.772831Z", "updated_at": "2026-04-10T02:00:03.592334Z", "deleted_at": null, "main_name": "ShadowSyndicate", "aliases": [], "source_name": "MISPGALAXY:ShadowSyndicate", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6d63b008049144c47e5a836edd4e7a27154bf1b.pdf", "text": "https://archive.orkl.eu/f6d63b008049144c47e5a836edd4e7a27154bf1b.txt", "img": "https://archive.orkl.eu/f6d63b008049144c47e5a836edd4e7a27154bf1b.jpg" } }