Weaponizing Public Data: How Old Leaks Enable Modern Account Takeovers

TLDR: Publicly available data from historical breaches is being combined with cross-site leaks and clickjacking to bypass modern authentication controls. Attackers use these techniques to extract partial credit card numbers and other PII, which they then use to perform successful SIM swap attacks against telecom providers. Security teams must treat historical data leaks as active threats and move away from knowledge-based authentication methods that rely on easily discoverable personal information.

Data breaches are often treated as historical artifacts. Once a database is dumped and the initial panic subsides, security teams tend to move on to the next fire. This research proves that this mindset is a critical failure. Old data does not expire; it simply becomes cheaper and more accessible, eventually forming the foundation for sophisticated, multi-stage fraud campaigns.

The core of this problem lies in the intersection of legacy authentication practices and modern web browser vulnerabilities. Telecom providers and other service organizations still rely on knowledge-based authentication (KBA) to verify identity. They ask for a national ID number, a mother’s maiden name, or the last four digits of a credit card. When this information is readily available in a decade-old dump, the authentication process is effectively nullified.

The Mechanics of the Attack

Attackers are not just using this data for simple phishing. They are actively weaponizing it through Cross-Site Leaks (XS-Leaks) and Clickjacking. The researchers demonstrated a flow where an attacker lures a victim to a malicious site. This site embeds a legitimate service, such as a payment portal, within a hidden iframe. By applying specific CSS filters, the attacker can manipulate the rendering of that iframe to extract information from the victim's authenticated session.

Consider the case of extracting the last four digits of a credit card from a Google Pay or Google Wallet interface. The attacker uses CSS to manipulate the iframe's appearance, effectively creating a side channel. By observing how the browser renders the iframe based on the victim's state, the attacker can infer sensitive data. This is not a theoretical exploit. It relies on the fact that CSS filters, like grayscale or invert, are applied to the entire rendering context, including cross-origin iframes.

/* Example of a CSS filter used to manipulate iframe rendering */
iframe {
  filter: grayscale(1) contrast(3);
  position: absolute;
  opacity: 0.01;
}

Once the attacker has these four digits, they have the final piece of the puzzle required to impersonate the victim during a call to a telecom provider. The provider, believing they are speaking to the legitimate account holder, initiates a SIM swap. The attacker now controls the victim's phone number, allowing them to intercept SMS-based two-factor authentication codes for banking, email, and social media accounts.

Why This Matters for Pentesters

During a red team engagement or a penetration test, it is common to focus on finding a remote code execution vulnerability or a SQL injection. However, this research highlights that the most effective path to compromise is often through the business logic of identity verification. If you are testing a client’s customer support portal or their account recovery flow, do not just look for technical bugs. Look at the questions they ask to verify a user.

If a client allows a user to reset a password or change an account setting based on information that can be found in a CVE-2024-0000 style leak or a public database, you have found a high-impact vulnerability. The impact is not just a single account takeover; it is the ability to scale fraud across an entire user base.

Defending Against the Human Side Channel

Defending against these attacks requires a fundamental shift in how we handle identity. Relying on static, discoverable information for authentication is a losing battle. Organizations must implement phishing-resistant multi-factor authentication, such as FIDO2/WebAuthn, which does not rely on SMS or easily intercepted secrets.

Furthermore, developers must implement robust Content Security Policy (CSP) headers to prevent unauthorized framing of their applications. By setting frame-ancestors 'none' or frame-ancestors 'self', you can effectively neutralize clickjacking and many XS-Leak vectors.

The reality is that your users' personal data is already public. The goal is to ensure that this public data is useless to an attacker. If your authentication flow still treats a date of birth or a partial credit card number as a secret, you are not protecting your users; you are merely providing a roadmap for the next wave of account takeovers. Stop asking for information that can be found on a dark web forum and start requiring proof of possession. The next time you see a "forgot password" flow, ask yourself if the questions being asked are actually secure, or if they are just a relic of a time when data was harder to find.