For an app all about spilling the beans on who you’re allegedly dating, it’s ironic that TeaOnHer was spilling the personal information of thousands of its users to the open web.
TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users’ personal information, including photos of their driver’s licenses and other government-issued identity documents, as TechCrunch reported last week.
These gated community-like apps were created ostensibly to let users share information about their relationships under the guise of personal safety. However, shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites.
Such risks are only going to worsen; popular apps and web services are already having to comply with age verification laws that require people to submit their identity documents before they can be granted access to adult-themed content, despite the privacy and security risks associated with storing databases of people’s personal information.
When TechCrunch published our story last week, we did not publish specific details of the bugs we discovered in TeaOnHer, erring on the side of caution so as to not help bad actors exploit the bug. Instead, we decided to publish a limited disclosure, because of the app’s rising popularity and the immediate risks that users faced when using the app.
As of the time of disclosure, TeaOnHer was #2 in the free app charts on the Apple App Store, a position still held by the app today.
The flaws we found appear to be resolved. TechCrunch can now share how we were able to find users’ driver’s licenses within 10 minutes of being sent a link to the app in the App Store, thanks to easy to find flaws in the app’s public-facing backend system, or API.
The app’s developer, Xavier Lampkin, did not respond to multiple requests for comment after we submitted details of the security flaws, nor would Lampkin commit to notifying affected TeaOnHer users or state regulators of the security lapse.
We also asked Lampkin if any security reviews were carried out before the TeaOnHer app was launched, but we got no reply. (We have more on disclosure later on.)
Alright, start the clock.
TeaOnHer exposed ‘admin panel’ credentials
Before we even downloaded the app, we first wanted to find out where TeaOnHer was hosted on the …