Suleiman Tawil of Teratosoft said on Feb. 19 that his analysis of the vmfunc research team’s report on Persona found no evidence of system breaches or credential theft, and that all information was obtained from publicly accessible sources.
The issue centers on a recent review of Persona’s AI identity verification infrastructure, which raised questions about data exposure and security practices. Tawil addressed the matter in a Medium article, stating, “No systems were breached. No credentials were stolen. No vulnerabilities were exploited. Everything came from publicly accessible sources,” according to Tawil’s Medium article.
Tawil reviewed the report from the vmfunc research team, which examined how researchers used public tools such as Shodan scans, certificate transparency logs, DNS records, HTTP headers, and exposed JavaScript source maps to gather information. The analysis found that no systems were breached and that the non-production subdomain contained no customer or biometric data by design. This finding highlights a standard development practice rather than any security failure, according to Tawil’s Medium article.
Exposed source maps are a common issue in web applications and affect about 70% of organizations with production environments. Developers use source maps for debugging code; making them public reveals only the original source code without granting backend access. The Persona exposure involved a test subdomain and followed patterns seen across the tech industry, according to Security Boulevard.
Identity verification providers like Persona follow strict federal standards when serving government clients. Persona holds FedRAMP authorization, requiring non-production domains to be completely isolated. The exposed subdomain had never handled customer data and was separate from operational systems, ensuring sensitive information remained protected during normal development work, according to Persona’s post-incident review.
Tawil serves as CEO and CTO of Teratosoft with a focus on technical design and server architecture in IT projects. He has an engineering background and contributes articles on artificial intelligence, emerging technologies, and security topics that often examine complex infrastructure and public disclosures in technology spaces.
