Massive security problems: Perso app on the cell phone can be duped

3, 2, 1 and the fake digital driving license is ready. After there were already massive security problems in the official app for the digital driver’s license, Verimi has now also been hit. Behind it are, among other things, as shareholders companies such as
  • alliance
  • Axel Springer
  • Federal Printing Office
  • Daimler
  • Deutsche Bahn
  • DGerman bank
  • Deutsche Telekom
  • LufthansaSamsung
  • Volkswagen Financial Services

This app also tries its hand at the digital wallet. The idea: You should be able to identify yourself with just one click or fingertip. Mobile should provide easy and secure management of your identity. But security fails because of the so-called photo identification process.

The security expert did Martin Tschirsich levered out and thus acquired several fake digital identities. In order to outwit photo identification, he photographed the front and back of the driver’s license, digitally changed the name and printed out the manipulated images larger than life at a photo kiosk.

He then photographed the manipulated images with the app and took a selfie. The “AI-supported process” then confirms the authenticity of the images in a matter of seconds. Tschirsich states that the total duration of the attack was only 30 minutes.

const cmpCallbacks = ;

while(frame) try if (frame.frames['__tcfapiLocator']) cmpFrame = frame;



if(frame === break;

frame = frame.parent;

/** * Set up a __tcfapi proxy method to do the postMessage and map the callback. * From the caller's perspective, this function behaves identically to the * CMP API's __tcfapi call */

window.__tcfapi = function(cmd, version, callback, arg) if (!cmpFrame) callback(msg: 'CMP not found', false); else const callId = Math.random() + ''; const msg = __tcfapiCall: command: cmd, parameter: arg, version: version, callId: callId, , ;

cmpCallbacks[callId] = callback; cmpFrame.postMessage(msg, '*');


function postMessageHandler(event) let json = ;

try json = typeof === 'string' ? JSON.parse( :; catch (ignore)

const payload = json.__tcfapiReturn;

if (payload) if (typeof cmpCallbacks[payload.callId] === 'function') cmpCallbacks[payload.callId](payload.returnValue, payload.success); cmpCallbacks[payload.callId] = null;

window.addEventListener('message', postMessageHandler, false); }()); }

function consentSpecificVendor(vendorId) window.__tcfapi('postCustomConsent', 2, (data) => if (data) location.reload();

, [vendorId], [], []);

function acceptFacebookConsentVendor() consentSpecificVendor('5f1b2fbdb8e05c3057240f56');

function acceptInstagramConsentVendor() consentSpecificVendor('5e7e5243b8e05c1c467daa57');

function acceptTwitterConsentVendor() consentSpecificVendor('5e71760b69966540e4554f01');

function acceptYoutubeConsentVendor() consentSpecificVendor('5e7ac3fae30e7d1bc1ebf5e8');

function acceptTrackdelightConsentVendor() consentSpecificVendor('5e77acddd8d48d795087425b');

function acceptTikTokConsentVendor() consentSpecificVendor('5e7f6927b8e05c4e491e7380');

function acceptTwitchConsentVendor() consentSpecificVendor('5ec462c02330505ab89fbb3b');

function acceptVimeoConsentVendor() consentSpecificVendor('5eac148d4bfee33e7280d13b');

window.__tcfapi('addEventListener', 2, function(tcData) { if (tcData.eventStatus === 'tcloaded' || tcData.eventStatus === 'useractioncomplete') { window.__tcfapi('getCustomVendorConsents', 2, function(vendorConsents, success) {

let vendorConsented = false; vendorConsents.consentedVendors.forEach(vendor => if (vendor && vendor._id === '5e71760b69966540e4554f01') vendorConsented = true;


if (success && vendorConsented) const rootElement = document.getElementById('chip-widgets-twitter-62f39e11bb2d5'); const thirdPartyScripts = twitter: '', facebook: '', trackdelight: '', instagram: '//', tikTok: '', ;

for (let i=0; i < rootElement.childNodes.length; i++) // nodeType 8 is HTML Comment if (rootElement.childNodes[i].nodeType == 8) rootElement.innerHTML = rootElement.childNodes[i].data.trim();if (thirdPartyScripts.hasOwnProperty('twitter')) const script = document.createElement("script"); script.src = thirdPartyScripts['twitter']; script.async = true; script.defer = true; rootElement.appendChild(script); }); window.__tcfapi('removeEventListener', 2, function(success) , tcData.listenerId); } });

Source link -61