TeaOnHer App Exposes Thousands of Users’ Personal Data Amid Security Flaws
In the digital age, where privacy is paramount, an app called TeaOnHer inadvertently exposed the personal information of thousands of its users, including sensitive identity documents. Designed for men to share photos and details about women they claim to have dated, the app mirrored the popular gossip platform for women but with alarming security lapses.
TeaOnHer’s lax coding and security flaws exposed users’ personal information such as driver’s license photos and other identity documents, highlighting the ongoing privacy risks associated with apps and websites that require sensitive user data. With rising popularity, these risks are only set to escalate as age verification laws compel popular platforms to store databases of people’s personal details.
Upon discovering the security issues, our team elected to publish a limited disclosure instead of detailing specific bugs to prevent bad actors from exploiting them. At the time of disclosure, TeaOnHer was ranked second in the free app charts on the Apple App Store, maintaining this position even today.
Our investigation began by tracing the app’s online presence through its public-facing infrastructure, including its website and domain records. Although no website was publicly accessible at first, we were able to uncover TeaOnHer’s API landing page, which housed easy-to-find flaws in its backend system.
This landing page revealed an exposed email address and password for the app’s developer, enabling access to the “admin panel.” The admin panel, used for document verification and user management, was located on a localhost server, raising concerns about potential unauthorized access.
Within minutes of gaining access, our team discovered that several API requests could be made without any authentication, allowing unauthorized individuals to access users’ private data. This included account records with self-reported age, location, email addresses, and links to photos of driver’s licenses and corresponding selfies, stored in an Amazon-hosted S3 cloud server with publicly accessible web addresses.
With a unique user identifier, malicious users could have scraped vast amounts of user data from the app, similar to what occurred with the Tea app initially. Upon reporting our findings, the API landing page was taken down, and access to users’ identity documents was restricted.
Developers have a responsibility to protect their users’ personal data, regardless of size or resources. If data security cannot be ensured, such apps should not exist. If you uncover evidence of popular apps leaking or exposing sensitive information, we encourage you to come forward. Secure and confidential communication can be established via the encrypted messaging service, Signal, at zackwhittaker.1337.
