TeaOnHer, an app designed for men to share photos and information about women they have supposedly dated, has exposed users’ personal information, including government IDs and selfies, TechCrunch can confirm.
The app, which launched on the Apple App Store earlier this week, is a response to another viral app Tea that allows women to post about the men they date. Tea is advertised as a women’s safety app with more than 6 million users that is similar to “Are we dating the same guy?” Facebook networks. However, the app is controversial, since many of the claims that women post cannot be verified.
The backlash surrounding Tea escalated last week, after 404 Media reported 4chan users retaliated by discovering a publicly exposed database belonging to the app, which revealed over 72,000 images, including thousands of selfies and photo IDs submitted for account verification. A subsequent hack exposed more than 1 million private messages sent over the app, prompting the app to disable its messaging feature.
TeaOnHer, which is now ranked No. 2 among Lifestyle apps on iOS, appears to be a direct rebuttal to the Tea app, even copying the language from Tea’s App Store description in its own listing.
But like the app it sought to emulate, TeaOnHer contains security flaws of its own.
TechCrunch has found at least one security flaw that allows anyone access to data belonging to TeaOnHer app users, including their usernames and associated email addresses, as well as driver’s licenses and selfies that users uploaded to TeaOnHer. Images of these driver’s licenses are publicly accessible web addresses, allowing anyone with the links to access them using their web browser.
In one case, TechCrunch saw a list of posts shared on TeaOnHer appended with each user’s email address, display name, and self-reported location.
TechCrunch is withholding some of the details of the bugs so as to not help malicious actors access anyone’s data. The app’s maker did not respond to emails from TechCrunch asking who we can report the flaws to. As such, TechCrunch is publishing this report with limited de …