Comment on Women’s ‘red flag’ app Tea is a privacy nightmare
NeilBru@lemmy.world 1 week agoAs I mentioned in other comments, I am a noob when it comes to web-sec best practices, so please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
nickwitha_k@lemmy.sdf.org 6 days ago
There’s nothing to forgive. Asking questions and being curious is how you learn this stuff.
From what I’ve read, it’s more fundamental than that. It’s a basic architecture issue. The datastore was publicly accessible, which it should never be. If they had it setup according to best practices, with an API to proxy access and auth, the datastore’s permissions would be of minimal consequence, unless their network was compromised (still best practice to secure it and approach with a zero-trust mindset).
Generally, cloud datastores handle encryption/decryption transparently, as long as the account accessing data has authorization to use the key. They probably also didn’t have encryption setup.
Here are some more resources: