Yet More Spilled Tea Data
Hardly any time has passed since the Tea dating app breach, and already the counter app launched in opposition to it – TeaOnHer, a mirror of Tea where male users can do essentially the same gossip as the original – has somehow fallen through the same glaringly obvious trap door. Poor security practices have now rendered this user set’s personal data exposed, including driver’s licenses and other sensitive information. But….why? How? Oh how the turns have tabled.
A deep dive into the breach revealed that the app’s subdomain landing page was clearly exposed, like a flashing neon sign, the email address and plaintext password of the application’s developer. This lackadaisical approach was further extended to all users. Researchers were able to locate user driver’s licenses within ten minutes of getting a link for the App Store. The landing also contained a documentation page of all the allowed actions for users and admins on the TeaOnHer API, including verifying user identity, creating new users and more. API requests could then be made without any authentication, allowing for queries to retrieve and display user data. No passwords or other credentials required: just run the command and you have access to private data publicly documented.
Email addresses, driver’s license photos, screen names, ages and locations, and selfies were among the breached data
Upon contacting the developer with details of security flaws in the API and questions of notifying affected users, TechCrunch was met with no replies. When they eventually did hear back, it was a denial of any security breach or issues, in contrast to the evidence gathered so far. This changed when they shared the details with the developer, who then thanked them for the alert and offered to look into it.
Since the server now appears as “healthy” and reliant on authentication measures, and the earlier documentation has been removed, one might assume the problem has now been addressed. How it happened in the first place, that an app designed in retaliation against another could instantly blunder into the same kind of security failings, I just can’t wrap my head around. If sensitive personal data is going to be a mere afterthought for a company, not protected, not encrypted, then they’re not going to have any excuse when it lands them in hot water (tea?)