How We Found Teaonher Spilling Users’ Driver’s Licenses In Less Than 10 Minutes

For an app each astir spilling nan beans connected who you’re allegedly dating, it’s ironic that TeaOnHer was spilling nan individual accusation of thousands of its users to nan unfastened web.

TeaOnHer was designed for men to stock photos and accusation astir women they declare to person been dating. But overmuch for illustration Tea, nan dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes successful its information that exposed its users’ individual information, including photos of their driver’s licenses and different government-issued personality documents, arsenic TechCrunch reported past week.

These gated community-like apps were created ostensibly to fto users stock accusation astir their relationships nether nan guise of individual safety. However, shoddy coding and information flaws item nan ongoing privateness risks inherent successful requiring users to taxable delicate accusation to usage apps and websites.

Such risks are only going to worsen; celebrated apps and web services are already having to comply pinch property verification laws that require group to submit their personality documents earlier they tin beryllium granted entree to adult-themed content, contempt nan privateness and information risks associated pinch storing databases of people’s individual information.

When TechCrunch published our communicative past week, we did not people circumstantial specifications of nan bugs we discovered successful TeaOnHer, erring connected nan broadside of be aware truthful arsenic to not thief bad actors utilization nan bug. Instead, we decided to people a constricted disclosure, because of nan app’s rising fame and nan contiguous risks that users faced erstwhile utilizing nan app.

As of nan clip of disclosure, TeaOnHer was #2 successful nan free app charts connected nan Apple App Store, a position still held by nan app today.

The flaws we recovered look to beryllium resolved. TechCrunch tin now stock really we were capable to find users’ driver’s licenses wrong 10 minutes of being sent a nexus to nan app successful nan App Store, acknowledgment to easy to find flaws successful nan app’s public-facing backend system, aliases API.

The app’s developer, Xavier Lampkin, did not respond to aggregate requests for remark aft we submitted specifications of nan information flaws, nor would Lampkin perpetrate to notifying affected TeaOnHer users aliases authorities regulators of nan information lapse.

We besides asked Lampkin if immoderate information reviews were carried retired earlier nan TeaOnHer app was launched, but we sewage nary reply. (We person much connected disclosure later on.)

Alright, commencement nan clock.

TeaOnHer exposed ‘admin panel’ credentials

Before we moreover downloaded nan app, we first wanted to find retired wherever TeaOnHer was hosted connected nan net by looking astatine its public-facing infrastructure, specified arsenic its website and thing hosted connected its domain.

This is usually a bully spot to commencement arsenic it helps understand what different services nan domain is connected to connected nan internet. 

To find nan domain name, we first looked (by chance) astatine nan app’s listing connected nan Apple App Store to find nan app’s website. This tin usually beryllium recovered successful its privateness policy, which apps must see earlier Apple will database them. (The app listing besides claims nan developer “does not cod immoderate information from this app,” which is demonstrably false, truthful return that arsenic you will.)

TeaOnHer’s privateness argumentation was successful nan shape of a published Google Doc, which included an email reside pinch a teaonher.com domain, but nary website.

The website wasn’t nationalist astatine nan time, truthful pinch nary website loading, we looked astatine nan domain’s public-facing DNS records, which tin thief to place what other is hosted connected nan domain, specified arsenic nan type of email servers aliases web hosting. We besides wanted to look for immoderate nationalist subdomains that nan developer mightiness usage to big functionality for nan app (or big different resources that should astir apt not beryllium public), specified arsenic admin dashboards, databases, aliases different web-facing services.

But erstwhile we looked astatine nan TeaOnHer’s nationalist net records, it had nary meaningful accusation different than a azygous subdomain, appserver.teaonher.com.

When we opened this page successful our browser, what loaded was nan landing page for TeaOnHer’s API (for nan curious, we uploaded a transcript here). An API simply allows things connected nan net to pass pinch each other, specified arsenic linking an app to its cardinal database.

It was connected this landing page that we recovered nan exposed email reside and plaintext password (which wasn’t that acold disconnected “password”) for Lampkin’s relationship to entree nan TeaOnHer “admin panel.”

The API page showed that nan admin panel, utilized for nan archive verification strategy and personification management, was located astatine “localhost,” which simply refers to nan beingness machine moving nan server and whitethorn not person been straight accessible from nan internet. It’s unclear if anyone could person utilized nan credentials to entree nan admin panel, but this was successful itself a sufficiently alarming finding.

At this point, we were only astir 2 minutes in.

Otherwise, nan API landing page didn’t do overmuch different than connection immoderate denotation arsenic to what nan API tin do. The page listed respective API endpoints, which nan app needs to entree successful bid to function, specified arsenic retrieving personification records from TeaOnHer’s database, for users to time off reviews, and sending notifications.

With knowledge of these endpoints, it tin beryllium easier to interact pinch nan API directly, arsenic if we were imitating nan app itself. Every API is different, truthful learning really an API useful and really to pass pinch 1 tin return clip to fig out, specified arsenic which endpoints to usage and nan parameters needed to efficaciously speak its language. Apps for illustration Postman tin beryllium adjuvant for accessing and interacting straight pinch APIs, but this requires clip and a definite grade of proceedings and correction (and patience) to make APIs spit retired information erstwhile they shouldn’t.

But successful this case, location was an moreover easier way. 

TeaOnHer API allowed unauthenticated entree to personification data

This API landing page included an endpoint called /docs, which contained nan API’s auto-generated archiving (powered by a merchandise called Swagger UI) that contained nan afloat database of commands that tin beryllium performed connected nan API. 

This archiving page was efficaciously a maestro expanse of each nan actions you tin execute connected nan TeaOnHer API arsenic a regular app user, and much importantly, arsenic nan app’s administrator, specified arsenic creating caller users, verifying users’ personality documents, moderating comments, and more. 

The API archiving besides featured nan expertise to query nan TeaOnHer API and return personification data, fundamentally letting america retrieve information from nan app’s backend server and show it successful our browser.

While it’s not uncommon for developers to people their API documentation, nan problem present was that immoderate API requests could beryllium made without immoderate authentication — nary passwords aliases credentials were needed to return accusation from nan TeaOnHer database. In different words, you could tally commands connected nan API to entree users’ backstage information that should not person been accessible to a personification of nan app, fto unsocial anyone connected nan internet. 

All of this was conveniently and publically documented for anyone to see.

Requesting a database of users presently successful nan TeaOnHer personality verification queue, for illustration — nary much than pressing a fastener connected nan API page, thing fancy present — would return dozens of relationship records connected group who had precocious signed up to TeaOnHer.

The records returned from TeaOnHer’s server contained users’ unsocial identifiers wrong nan app (essentially a drawstring of random letters and numbers), their nationalist floor plan surface name, and self-reported property and location, on pinch their backstage email address. The records besides included web reside links containing photos of nan users’ driver’s licenses and corresponding selfies. 

Worse, these photos of driver’s licenses, government-issued IDs, and selfies were stored successful an Amazon-hosted S3 unreality server group arsenic publically accessible to anyone pinch their web addresses. This nationalist mounting lets anyone pinch a nexus to someone’s personality documents unfastened nan files from anyplace pinch nary restrictions.

Two driver’s licenses (redacted by TechCrunch) exposed by nan flaws successful nan TeaOnHer app.Image Credits:TechCrunch (screenshot)

With that unsocial personification identifier, we could besides usage nan API page to straight look up individual users’ records, which would return their relationship information and immoderate of their associated personality documents. With uninhibited entree to nan API, a malicious personification could person scraped immense amounts of personification information from nan app, overmuch for illustration what happened pinch the Tea app to statesman with.

From legume to cup, that was astir 10 minutes, and we hadn’t moreover logged-in to nan app yet. The bugs were truthful easy to find that it would beryllium sheer luck if cipher malicious recovered them earlier we did.

We asked, but Lampkin would not opportunity if he has nan method ability, specified arsenic logs, to find if anyone had utilized (or misused) nan API astatine immoderate clip to summation entree to users’ verification documents, specified arsenic by scraping web addresses from nan API.

In nan days since our study to Lampkin, nan API landing page has been taken down, on pinch its archiving page, and it now displays only nan authorities of nan server that nan TeaOnHer API is moving connected arsenic “healthy.” At slightest connected cursory tests, nan API now appears to trust connected authentication, and nan erstwhile calls made utilizing nan API nary longer work. 

The web addresses containing users’ uploaded personality documents person besides been restricted from nationalist view. 

TeaOnHer developer dismissed efforts to disclose flaws

Given that TeaOnHer had nary charismatic website astatine nan clip of our findings, TechCrunch contacted nan email reside listed connected nan privateness argumentation successful an effort to disclose nan information lapses. 

But nan email bounced backmost pinch an correction saying nan email reside couldn’t beryllium found. We besides tried contacting Lampkin done nan email reside connected his website, Newville Media, but our email bounced backmost pinch nan aforesaid correction message.

TechCrunch reached Lampkin via LinkedIn message, asking him to supply an email reside wherever we could nonstop specifications of nan information flaws. Lampkin responded pinch a wide “support” email reside successful response.

When TechCrunch discloses a information flaw, we scope retired to corroborate first that a personification aliases institution is nan correct recipient. Otherwise, blindly sending specifications of a information bug to nan incorrect personification could create a risk. Before sharing circumstantial specifications of nan flaws, we asked nan recipient of nan “support” email reside if this was nan correct reside to disclose a information vulnerability involving TeaOnHer personification data.

“You must person america confused pinch ‘the Tea app’,” Lampkin replied by email. (We hadn’t.) “We don’t person a information breach aliases information leak,” he said. (It did.) “We person immoderate bots astatine astir but we haven’t scaled large capable to beryllium successful that speech yet, sorry you were misinformed.” (We weren’t)

Satisfied that we had established interaction pinch nan correct personification (albeit not pinch nan consequence we received), TechCrunch shared specifications of nan information flaws, arsenic good arsenic respective links to exposed driver’s licenses, and a transcript of Lampkin’s ain information to underscore nan severity of nan information issues.

“Thank you for this information. This is very concerning. We are going to jump connected this correct now,” said Lampkin.

Despite respective follow-up emails, we person not heard from Lampkin since we disclosed nan information flaws.

It doesn’t matter if you’re a one-person package shop aliases a billionaire vibe coding done a weekend: Developers still person a work to support their users’ information safe. If you can’t support your users’ backstage information safe, don’t build it to statesman with.

If you person grounds of a celebrated app aliases work leaking aliases exposing information, get successful touch. You tin securely interaction this newsman via encrypted connection astatine zackwhittaker.1337 connected Signal.