Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Male-Oriented App 'TeaOnHer' Also Had Security Flaws That Could Leak
Men's Driver's License Photos

Link: https://it.slashdot.org/story/25/08/18/055025...

The women-only dating-advice app Tea "has been hit with 10 potential class
action lawsuits in federal and state court," NBC News reported last week,
"after a data breach led to the leak of thousands of selfies, ID photos and
private conversations online." The suits could result in Tea having to pay
tens of millions of dollars in damages to the plaintiffs, which could be
catastrophic for the company, an expert told NBC News... One of the suits
lists the right-wing online discussion board 4chan and the social platform X
as defendants, alleging that they allowed bad actors to spread users'
personal information. But meanwhile, a new competing app for men called
"TeaOnHer" has already been launched. And it was also found to have enormous
security flaws, reports TechCrunch, that "exposed its users' personal
information, including photos of their driver's licenses and other government-
issued identity documents..." [W]hen we looked at the TeaOnHer's public
internet records, it had no meaningful information other than a single
subdomain, appserver.teaonher.com. When we opened this page in our browser,
what loaded was the landing page for TeaOnHer's API (for the curious, we
uploaded a copy here)... It was on this landing page that we found the
exposed email address and plaintext password (which wasn't that far off from
"password" for [TeaOnHer developer Xavier] Lampkin's account to access the
TeaOnHer "admin panel"... This API landing page included an endpoint called
/docs, which contained the API's auto-generated documentation (powered by a
product called Swagger UI) that contained the full list of commands that can
be performed on the API [including administrator commands to return user
data]... While it's not uncommon for developers to publish their API
documentation, the problem here was that some API requests could be made
without any authentication - no passwords or credentials were needed... The
records returned from TeaOnHer's server contained users' unique identifiers
within the app (essentially a string of random letters and numbers), their
public profile screen name, and self-reported age and location, along with
their private email address. The records also included web address links
containing photos of the users' driver's licenses and corresponding selfies.
Worse, these photos of driver's licenses, government-issued IDs, and selfies
were stored in an Amazon-hosted S3 cloud server set as publicly accessible to
anyone with their web addresses. This public setting lets anyone with a link
to someone's identity documents open the files from anywhere with no
restrictions... The bugs were so easy to find that it would be sheer luck if
nobody malicious found them before we did. We asked, but Lampkin would not
say if he has the technical ability, such as logs, to determine if anyone had
used (or misused) the API at any time to gain access to users' verification
documents, such as by scraping web addresses from the API. In the days since
our report to Lampkin, the API landing page has been taken down, along with
its documentation page, and it now displays only the state of the server that
the TeaOnHer API is running on as "healthy." The flaws were discovered while
TeaOnHer was the #2 free app in the Apple App Store, the article points out.
And while these flaws "appear to be resolved," the article notes a larger
issue. "Shoddy coding and security flaws highlight the ongoing privacy risks
inherent in requiring users to submit sensitive information to use apps and
websites," And TeaOnHer also had another authentication issue. A female
reporter at Cosmopolitan also noted Friday that TeaOnHer "lets you browse
through profiles before your verifications are complete. So literally anyone
(like myself) can read reviews..."

Read more of this story at Slashdot.

---
VRSS v2.1.180528