Hacker News new | past | comments | ask | show | jobs | submit login

Can apps still get information that identifies the specific device? If so, another possible threat model could be more about identifying who uses what device rather than anything specifically in the photos themselves.

For example, I already have a database of high value target's faces built from political sources like house.gov. Now I do facial recognition between that set of faces and the FaceApp faces. That allows me to identify the specific devices used by government officials. That would seem to be super valuable for more targeted attacks and/or pairing with other apps for potential kompromat.

I was thinking more along the lines of hacking because now you have a face and can identify who they work for and that they may have valuable info being a part of X person’s political campaign. Potentially you’d then install some silent update or use some new exploit to gain access to the rest of their phone. Anyone know if that is possible?

Current-gen devices provide an advertising id. It's unique to the device but can be reset to a new random value by the owner in the OS settings.

I think they're talking about just what device they have and OS version (but that's available in the user-agent anyways[0]), since that tells an adversary what exploits to purchase or put resources into developing. Who knows, maybe 30% of congress people haven't yet upgraded to an iPhone with the A12/A13 chip (which can't be exploited via the checkm8 exploit).

0: https://developers.whatismybrowser.com/useragents/explore/so...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact