Security researchers claim that Persona, the identity verification provider used in Discord’s UK age verification test, runs an extensive verification program that performs 269 individual verification checks across 14 check types and that a misconfigured government-facing endpoint exposed the platform’s full codebase.
The researchers say they discovered 53 megabytes of unprotected source maps on a FedRAMP government endpoint. Those maps reportedly exposed 2,456 source files containing the full TypeScript codebase. The exposed files allegedly included every permission, API endpoint, compliance rule, and screening algorithm used by Persona.
In a quoted summary the researchers wrote, “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep.” The report says Persona’s system is programmed to file Suspicious Activity Reports with FinCEN, to compare a user’s selfie to watchlist photos using facial recognition, and to screen people against 14 categories of adverse media from terrorism to espionage. The verification program reportedly also tags reports with codenames tied to active intelligence programs.
The researchers say the verification flow includes checks named in the code, such as SelfieSuspiciousEntityDetection. They ask directly, “What makes a face ‘suspicious’?” and add that the code does not specify criteria and that users are not informed. How much of the exposed material is directly tied to Discord’s earlier UK testing is unclear. The researchers note the discovery as an example of the kinds of risks privacy advocates have warned about around digital age verification. The UK government frames age verification as a child safety measure in its public guidance, and that material is available at UK guidance on the Online Safety Act.
The report also highlights the broader privacy concerns raised since the Discord rollout began. A separate internal report on claims over stolen verification images is available and can be read at Hackers Claim 1.5TB, which summarizes allegations that large troves of verification photos were claimed by a third party.
Researchers list the following concrete items as part of the exposed or described data and functionality: a FedRAMP endpoint with unprotected source maps, 2,456 TypeScript source files, automated filing of Suspicious Activity Reports to FinCEN, facial recognition that compares selfies to watchlist images, screening across 14 adverse media categories including terrorism and espionage, tagging of reports with intelligence codenames, and a verification program that runs 269 checks including components named like SelfieSuspiciousEntityDetection.
Privacy advocates and users remain concerned about handing biometric and watchlist-style data to third-party verification providers for routine age checks. The researchers and others emphasize that the presence of sophisticated screening features in a system used for age verification expands the privacy implications beyond simple age confirmation.
If you have questions about which Persona checks were exposed, leave a comment and follow for updates on X, Bluesky, YouTube, Instagram.
