## EqualTo AI Security Flaw: Email/Phone Identity Verification Trusts Spoofable Sender Fields in Comms Module
A medium-severity security vulnerability has been identified in EqualTo AI's identity verification pipeline, specifically within `internal/mcpserver/identity_verify_tools.go`. The flaw, catalogued under milestone Security Remediation M4 (Comms ingress and billing), allows message-scoped email and phone verification to trust sender-controlled fields rather than authoritative Host mailbox provenance. The finding was surfaced through an automated Pilot security scan conducted on May 14, 2026, and classified as medium severity in the body.csv reference index.

The vulnerability stems from a trust misconfiguration in how identity claims are validated during message processing. Instead of anchoring verification to immutable mailbox metadata—considered authoritative provenance—affected code paths rely on fields that can be manipulated by senders before reaching the verification layer. This creates a surface for identity spoofing across communication channels, potentially enabling unauthorized access to billing-adjacent workflows or impersonation of legitimate users within the system.

The remediation strategy mandates a full trust anchor shift: verification logic must exclusively reference authoritative Host mailbox sources. The team plans to consolidate fixes into a single repo-local pull request covering the entire affected surface area, with a split approach considered only if ownership or deployment boundaries introduce implementation risk. The finding remains under active remediation, with public-facing details sanitized until patches are merged. The exposure window centers on the comms ingress pathway, placing any downstream billing logic dependent on unverified identity assertions at elevated risk until the fix is deployed.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security-vulnerability, identity-verification, email-spoofing, authentication-bypass, comms-security
- **Credibility**: unverified
- **Published**: 2026-05-14 20:18:28
- **ID**: 83162
- **URL**: https://whisperx.ai/en/intel/83162