Tea was storing its users’ sensitive information on Firebase, a Google-owned backend cloud storage and computing service.
Every time. With startups, it’s always an unsecured Firebase or S3 bucket.
Women’s ‘red flag’ app Tea is a privacy nightmare
Submitted 1 day ago by return2ozma@lemmy.world to technology@lemmy.world
https://www.theverge.com/cyber-security/714750/tea-hack-breach
Comments
pivot_root@lemmy.world 21 hours ago
Kalothar@lemmy.ca 1 hour ago
My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
NeilBru@lemmy.world 13 hours ago
I’m certainly no web security expert, but shouldn’t a basic developer know how to secure said firebase or S3 buckets with STARTTLS or SSL certificates?
GissaMittJobb@lemmy.ml 2 hours ago
SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
zqps@sh.itjust.works 8 hours ago
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials.
Obviously there are ways around this too, but it’s not just “use TLS”.
gian@lemmy.grys.it 12 hours ago
I am not sure, but I read somewhere that the developer(s) used vibe coding to create the app so…
zqps@sh.itjust.works 8 hours ago
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials.
Obviously there are ways around this too, but it’s not just “use TLS”.
danny801@sh.itjust.works 4 hours ago
S2 Underground has a great video about this. It’s basically a spy app with national security implications.
People using their military IDs for account verification and location data found in their pictures lays the argument that this data could be used for blackmail.
SoftestSapphic@lemmy.world 4 hours ago
Lots of misandrists in this thread framing security failures as sexism against men
QueenHawlSera@sh.itjust.works 2 hours ago
It can be both.
So many problems are caused because society assumes cisgender women are always victims and anything that looks like a man if you look at it long enough is an abuser.
SoftestSapphic@lemmy.world 38 minutes ago
It’s just original Facebook but for women to rate and bully men instead of Mark and his scum bros using it to rate and bully women.
Velypso@sh.itjust.works 14 hours ago
Ah nice.
Time to implement a social score. Thise who rate highly have better access to social areas.
Those who rate lower are fucked for the rest of their life.
wizbiz@lemmy.blahaj.zone 9 hours ago
Lots of men in this thread real upset about this app pointing out how the majority men are shit
echodot@feddit.uk 6 hours ago
Citation of course needed with that one.
The only people who will be listed on the app are people who are either deserving they’ve been on there or people who don’t deserve to be on there but some woman in their lives has decided to inact some vengeance justified or otherwise.
SoftestSapphic@lemmy.world 4 hours ago
Lots of misandrists in this thread framing security failures as sexism against men
ConstantPain@lemmy.world 9 hours ago
Defaming people without giving them a chance to defend themselves, talk about shit people…
wizbiz@lemmy.blahaj.zone 6 hours ago
It’s not defamation if it’s true
GaMEChld@lemmy.world 6 hours ago
What are you basing the majority of men are shit on? Confirmation bias?
Dearth@lemmy.world 4 hours ago
Well im a man. And most men i interact with are casually misandrist, ableist and homophobic. I can’t imagine they behave any better when they’re trying to fuck you
ThrowawayPermanente@sh.itjust.works 6 hours ago
Oh come on, you know how Those People are
ZombieMantis@lemmy.world 7 hours ago
It’s an antisocial surveillance system for antisocial people, and creates a(n even more) antagonistic relationship between men and women.
Dating apps have been a disaster for dating, and this is perhaps the worst among them.
QueenHawlSera@sh.itjust.works 20 hours ago
Honestly it seems like a weapon that can too easily be used for defamation
0x0@lemmy.zip 12 hours ago
How dare you!
The misogyny!Balerion@piefed.blahaj.zone 4 hours ago
No one is saying THAT'S misogynistic. We're saying there are a bunch of stupid misogynistic comments in this thread, not that the app is cool.
CidVicious@sh.itjust.works 8 hours ago
I mean, yes, but does that take priority over women who are worried about their safety? There’s been women doing this over local Facebook groups for a long time. Defamation of this sort is not a new issue.
QueenHawlSera@sh.itjust.works 2 hours ago
Considering even the mere accusation can ruin someone’s life? Yes.
The problem isn’t women don’t deserve to be safe, the problem is we cannot just give people powerful weapons with no oversight or burden of proof to be deployed simply because a date didn’t go well.
Facebook or App, the danger is too great
echodot@feddit.uk 6 hours ago
It was defamation the entire time just because somebody made it an app rather than a Facebook group doesn’t make any difference. It was always a crap thing to do.
Of course Tea took it to an entirely new level of stupid.
Bort@hilariouschaos.com 1 day ago
Tea wasn’t hacked. Tea posted these images to a public file sharing site. Tea claimed that they deleted these images after verifying the applicant was a woman but clearly that was a fraudulent claim.
absGeekNZ@lemmy.nz 22 hours ago
Change the target to any other group and the outrage would be 100-10000 fold bigger.
Try it out, instead of Women rating men, try subbing in various minority groups or races.
Bonus points for the most offensive combinations…
e.g. Russians rating Ukrainians in your area…it can get pretty bad…I can think of many worse combos.
phoenixz@lemmy.ca 9 hours ago
I’m sorry but I’ll just say it out right: new feminists are the absolute worst
Don’t get me wrong, I’m all for equality where possible. Where isn’t equality possible? Well I’d like to conceive a child, but the plumbing isn’t exactly useful for that. That sort of thing. Beyond that, were all the same, and IDGAF about your skin color, sexual preferences or whatever. I live by live and Let live, don’t be an asshole, it’s not that hard to be respectful
New feminists though are the ones coming up with ideas like this website. On the surface, anyone could say that it’s not a bad thing to have a place for women to talk about how to protect themselves. In reality though, it’s a place where men, innocent or not, get doxxed and made to be rapists.
There are some subs here on Lemmy as well that were very sad to see this shitshow of a website go, lamenting the fact that now they need a different place to dex people. Try not to tell them that doxxing is bad, it gets you banned.
AmbitiousProcess@piefed.social 20 hours ago
I think the key reason this was seen as not being terribly offensive was the fact that women are disproportionately more likely than men to be on the receiving end of tons of different negative consequences when dating, thus to a degree justifying them having more of a safe space where their comfort and safety is prioritized.
However I think a lot of people are also recognizing now that such an app has lots of downsides that come as a result of that kind of structure, like false allegations being given too much legitimacy, high amounts of sensitive data storage, negative interactions being blown out of proportion, etc. I also think that this is yet another signature case of "private market solution to systemic problem" that only kind of addresses the symptoms, but not the actual causes of these issues that are rooted more in our societal standards and expectations of the genders, upbringing, depictions in media, etc.
DancingBear@midwest.social 17 hours ago
I’m always reminded of the fact that women on dating sites rate 80% of the men as below average….
rottingleaf@lemmy.world 15 hours ago
Stats depend on perception. Where a woman reports abuse, a man often spends an evening drinking or something similar. Not reporting abuse.
Expectations of men are too somewhat cruel. You should be grenadier-tall (or gorilla-wide, point being, you should look fit), with facial features like those of Kianu Reeves, with voice like that of Orlando Bloom, confident like some CEO, honorable like a samurai from some movie, yet able to override that honor at her whim and do any atrocity to make the world better for her. Like some picture of 1930s’ propaganda.
If you don’t deliver, then she silently pities herself and silently looks down at you for that. But God forbid you seem like that picture in some regard and then inevitably turn out to be more human, that deceit she won’t forgive.
It was a problem a century ago that women were mostly right-wing and chauvinist and traditionalist. Most of that has been undone, but not how women in average see gender relations.
OK, so about the app - I won’t be surprised if it was an intentional honeypot, honestly, to expose those who will use it. And it’s a bad idea, there’s no way to verify anonymous accusations, which means it’s a tool for defamation of any man, and a way to discredit things of the kind written there at the same time.
absGeekNZ@lemmy.nz 18 hours ago
I was making the point, that despite the fact that this is mildly ok. The test for anything that gives one group power over another, is to switch the groups.
If it’s still reasonable, than it is probably OK to keep it. If however it seems wrong after the switch, the bar to keep the power imbalance should be very high.
surewhynotlem@lemmy.world 22 hours ago
Russians rating Ukrainians
Interesting analogy. You realize you have it backwards, right? Women are the Ukrainians on this scenario.
absGeekNZ@lemmy.nz 22 hours ago
Agreed, but it is worse the way I put it…
Vanth@reddthat.com 18 hours ago
Might want to read up on the origins of Facebook before turning this into a gender wars thing.
absGeekNZ@lemmy.nz 18 hours ago
Nothing about gender wars here.
Just because Facebook is shit, doesn’t make this any better.
PotatoesFall@discuss.tchncs.de 14 hours ago
Wow just two days ago I see a post about how Lemmy is dominated by men and how that could become a problem, and today I see a comment section where all the incels come out of the woodwork.
“waaa somebody wants to solve a problem that has never affected me I’m the victim”
“omg what if people talk behind my back they might find out I’m an asshole? literally 1984”
“wadabout if this app was racist?!? checkmate”
I’m not saying this app is good or bad but if an article about cybersecurity gets posted and this is our first reaction, makes me lose hope in Lemmy.
9bananas@feddit.org 12 hours ago
i mean…an app directly copying a black mirror episode (but almost exclusively targeting a specific demographic) does ring some very, VERY loud alarm bells…
like, this is literally the plot of nosedive.
it’s a social credit system.
and none of the people even know they HAVE a score, so it’s somehow even worse than the fictional scenario.
this will, absolutely, hurt innocents and it will do so by design.
“fuck them innocents!”…just because they happen to be men?
how is that anything other than misandrist?
how is that defensible?
how is doxxing, mass libel, and targeted harassment a solution to sexism and rape culture?
I’d be really interested in hearing anything about how this is supposed to help women, because i struggle to see how sowing massive, unearned distrust between men and women is going to make anyone any safer…
I’m really, REALLY glad that the GDPR would nuke this sort of nonsense from orbit…uploading pictures of strangers, for the explicit purpose of gossiping about them behind their backs, spreading awful rumors?
what. the. actual. fuck. is wrong with you people?
and i don’t mean women, or men, i mean americans and their total disregard for privacy and digital safety. what the hell…
Ilovethebomb@sh.itjust.works 12 hours ago
You make a valid point, this platform absolutely shits on anyone without technical knowledge, just look at the hundred or so smug replies telling you what flavor of Linux they run if you mention a problem with Windows. So, no surprise everyone is focusing on that, and not the human aspect here.
Having said that, there is a power imbalance to this that I really don’t like, the accuser gets to hide behind a veil of anonymity, and the accused has their name published, and is forced to defend themselves.
suburban_hillbilly@lemmy.ml 11 hours ago
So, no surprise everyone is focusing on that, and not the human aspect here.
This is a technology community and the article is specifically about a security breach that exposed massive amounts of sensitive user data.
rottingleaf@lemmy.world 12 hours ago
“waaa somebody wants to solve a problem that has never affected me I’m the victim”
Everyone has the problem that they’d want to discuss others behind their back. It’s not accepted because it doesn’t work to any good end.
“omg what if people talk behind my back they might find out I’m an asshole? literally 1984”
You won’t find out anything from this. People sometimes lie, especially in such situations.
but if an article about cybersecurity gets posted and this is our first reaction, makes me lose hope in Lemmy.
Human adequacy is a big part of cybersecurity.
Balerion@piefed.blahaj.zone 13 hours ago
Yeah, this app sucks for a variety of reasons, but holy shit the misogyny in this thread.
ScoffingLizard@lemmy.dbzer0.com 13 hours ago
Thanks for looking out for us. However, I, too, am a bit concerned. This is how Facebook started. The tech industry has zero ethics. I recommend women, AND men, have a trusted safety buddy when dating. When I met my spouse, I had two people who knew where I was, the person’s name, photo, employer, and where we were meeting.Do some internet stalking. If I don’t call you in an hour, come looking for me. If I call, I might ask for another hour, but you get the point.
orbituary@lemmy.dbzer0.com 1 day ago
How does this app even work?
betterdeadthanreddit@lemmy.world 1 day ago
You sign up and then a while later, your personal information gets leaked to the public. Not sure what its other purpose is.
captain_aggravated@sh.itjust.works 56 minutes ago
You could easily convince me that it was a brilliantly executed honeypot. It’s just too damn poetic.
“It’s a women’s safety app” No it wasn’t. This app was about women’s safety as much as the recent payment processor porn game censorship bullshit was about child safety. This was about slandering men for fun because women love gossip. The app’s name was “Tea.”
Not a single woman who signed up for this app stopped to think, “Here’s a brand new app, just came out, has no track record, no reputation. I don’t know who runs this. I don’t know how they secure their database. I know what they’re asking, they want a picture of my government-issued ID. We’ve spent the last two decades reading news headlines of the pattern “tech company was hacked, 2.2 million users compromised including emails, home addresses and SSNs” on a weekly basis. There hasn’t been a week gone by since Dubya was president that hasn’t happened.”
The women who uploaded pictures of their IDs to some app really had their own safety in mind. Turns out you can short circuit that whole process with hilarious ease if you say things like “women only” and “slander your exes.”
I don’t think I could have constructed a better example as to why all the recent “prove your identity” shit is comprehensively retarded.
orbituary@lemmy.dbzer0.com 1 day ago
That’s corporate social media/apps in general. Does this thing basically let people list crappy things that happened to them by specific humans?
blitzen@lemmy.ca 4 minutes ago
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.