For an app all about spilling the beans on who you’re allegedly courting, it’s ironic that TeaOnHer was spilling the private data of 1000’s of its customers to the open internet.
TeaOnHer was designed for males to share images and details about ladies they declare to have been courting. However very like Tea, the dating-gossip app for ladies it was attempting to duplicate, TeaOnHer had gaping holes in its security that uncovered its customers’ private data, together with images of their driver’s licenses and different government-issued identification paperwork, as information.killnetswitch reported final week.
These gated community-like apps have been created ostensibly to let customers share details about their relationships below the guise of private security. Nonetheless, shoddy coding and security flaws spotlight the continued privateness dangers inherent in requiring customers to submit delicate data to make use of apps and web sites.
Such dangers are solely going to worsen; common apps and internet companies are already having to adjust to age verification legal guidelines that require folks to submit their identification paperwork earlier than they are often granted entry to adult-themed content material, regardless of the privateness and security dangers related to storing databases of individuals’s private data.
When information.killnetswitch printed our story final week, we didn’t publish particular particulars of the bugs we found in TeaOnHer, erring on the aspect of warning in order to not assist dangerous actors exploit the bug. As a substitute, we determined to publish a restricted disclosure, due to the app’s rising reputation and the speedy dangers that customers confronted when utilizing the app.
As of the time of disclosure, TeaOnHer was #2 within the free app charts on the Apple App Retailer, a place nonetheless held by the app at this time.
The failings we discovered seem like resolved. information.killnetswitch can now share how we have been capable of finding customers’ driver’s licenses inside 10 minutes of being despatched a hyperlink to the app within the App Retailer, due to simple to seek out flaws within the app’s public-facing backend system, or API.
The app’s developer, Xavier Lampkin, didn’t reply to a number of requests for remark after we submitted particulars of the security flaws, nor would Lampkin decide to notifying affected TeaOnHer customers or state regulators of the security lapse.
We additionally requested Lampkin if any security opinions have been carried out earlier than the TeaOnHer app was launched, however we obtained no reply. (We’ve got extra on disclosure in a while.)
Alright, begin the clock.
TeaOnHer uncovered ‘admin panel’ credentials
Earlier than we even downloaded the app, we first wished to seek out out the place TeaOnHer was hosted on the web by its public-facing infrastructure, comparable to its web site and something hosted on its area.
That is often an excellent place to begin because it helps perceive what different companies the area is linked to on the web.
To search out the area identify, we first appeared (by likelihood) on the app’s itemizing on the Apple App Retailer to seek out the app’s web site. This will often be present in its privateness coverage, which apps should embody earlier than Apple will listing them. (The app itemizing additionally claims the developer “doesn’t accumulate any information from this app,” which is demonstrably false, so take that as you’ll.)
TeaOnHer’s privateness coverage was within the type of a printed Google Doc, which included an e-mail deal with with a teaonher.com area, however no web site.
The web site wasn’t public on the time, so with no web site loading, we appeared on the area’s public-facing DNS data, which will help to establish what else is hosted on the area, comparable to the kind of e-mail servers or hosting. We additionally wished to search for any public subdomains that the developer would possibly use to host performance for the app (or host different sources that ought to most likely not be public), comparable to admin dashboards, databases, or different web-facing companies.
However after we appeared on the TeaOnHer’s public web data, it had no significant data apart from a single subdomain, appserver.teaonher.com.
Once we opened this web page in our browser, what loaded was the touchdown web page for TeaOnHer’s API (for the curious, we uploaded a replica right here). An API merely permits issues on the web to speak with one another, comparable to linking an app to its central database.
It was on this touchdown web page that we discovered the uncovered e-mail deal with and plaintext password (which wasn’t that far off “password”) for Lampkin’s account to entry the TeaOnHer “admin panel.”
The API web page confirmed that the admin panel, used for the doc verification system and person administration, was situated at “localhost,” which merely refers back to the bodily pc working the server and will not have been straight accessible from the web. It’s unclear if anybody may have used the credentials to entry the admin panel, however this was in itself a sufficiently alarming discovering.
At this level, we have been solely about two minutes in.
In any other case, the API touchdown web page didn’t do a lot apart from provide some indication as to what the API can do. The web page listed a number of API endpoints, which the app must entry with a purpose to perform, comparable to retrieving person data from TeaOnHer’s database, for customers to go away opinions, and sending notifications.
With information of those endpoints, it may be simpler to work together with the API straight, as if we have been imitating the app itself. Each API is totally different, so studying how an API works and easy methods to talk with one can take time to determine, comparable to which endpoints to make use of and the parameters wanted to successfully communicate its language. Apps like Postman may be useful for accessing and interacting straight with APIs, however this requires time and a sure diploma of trial and error (and endurance) to make APIs spit out information after they shouldn’t.
However on this case, there was an excellent simpler method.
TeaOnHer API allowed unauthenticated entry to person information
This API touchdown web page included an endpoint known as /docs, which contained the API’s auto-generated documentation (powered by a product known as Swagger UI) that contained the total listing of instructions that may be carried out on the API.
This documentation web page was successfully a grasp sheet of all of the actions you possibly can carry out on the TeaOnHer API as a daily app person, and extra importantly, because the app’s administrator, comparable to creating new customers, verifying customers’ identification paperwork, moderating feedback, and extra.
The API documentation additionally featured the flexibility to question the TeaOnHer API and return person information, primarily letting us retrieve information from the app’s backend server and show it in our browser.
Whereas it’s not unusual for builders to publish their API documentation, the issue right here was that some API requests may very well be made with none authentication — no passwords or credentials have been wanted to return data from the TeaOnHer database. In different phrases, you would run instructions on the API to entry customers’ personal information that ought to not have been accessible to a person of the app, not to mention anybody on the web.
All of this was conveniently and publicly documented for anybody to see.
Requesting a listing of customers at the moment within the TeaOnHer identification verification queue, for instance — not more than urgent a button on the API web page, nothing fancy right here — would return dozens of account data on individuals who had lately signed as much as TeaOnHer.
The data returned from TeaOnHer’s server contained customers’ distinctive identifiers throughout the app (primarily a string of random letters and numbers), their public profile display screen identify, and self-reported age and placement, together with their personal e-mail deal with. The data additionally included internet deal with hyperlinks containing images of the customers’ driver’s licenses and corresponding selfies.
Worse, these images of driver’s licenses, government-issued IDs, and selfies have been saved in an Amazon-hosted S3 cloud server set as publicly accessible to anybody with their internet addresses. This public setting lets anybody with a hyperlink to somebody’s identification paperwork open the recordsdata from wherever with no restrictions.
With that distinctive person identifier, we may additionally use the API web page to straight search for particular person customers’ data, which might return their account information and any of their related identification paperwork. With uninhibited entry to the API, a malicious person may have scraped enormous quantities of person information from the app, very like what occurred with the Tea app to start with.
From bean to cup, that was about 10 minutes, and we hadn’t even logged-in to the app but. The bugs have been really easy to seek out that it might be sheer luck if no person malicious discovered them earlier than we did.
We requested, however Lampkin wouldn’t say if he has the technical capability, comparable to logs, to find out if anybody had used (or misused) the API at any time to achieve entry to customers’ verification paperwork, comparable to by scraping internet addresses from the API.
Within the days since our report back to Lampkin, the API touchdown web page has been taken down, together with its documentation web page, and it now shows solely the state of the server that the TeaOnHer API is working on as “wholesome.” Not less than on cursory assessments, the API now seems to depend on authentication, and the earlier calls made utilizing the API now not work.
The net addresses containing customers’ uploaded identification paperwork have additionally been restricted from public view.
TeaOnHer developer dismissed efforts to reveal flaws
Provided that TeaOnHer had no official web site on the time of our findings, information.killnetswitch contacted the e-mail deal with listed on the privateness coverage in an effort to reveal the security lapses.
However the e-mail bounced again with an error saying the e-mail deal with couldn’t be discovered. We additionally tried contacting Lampkin by means of the e-mail deal with on his web site, Newville Media, however our e-mail bounced again with the identical error message.
information.killnetswitch reached Lampkin by way of LinkedIn message, asking him to offer an e-mail deal with the place we may ship particulars of the security flaws. Lampkin responded with a normal “assist” e-mail deal with.
When information.killnetswitch discloses a security flaw, we attain out to verify first that an individual or firm is the proper recipient. In any other case, blindly sending particulars of a security bug to the unsuitable particular person may create a danger. Earlier than sharing particular particulars of the failings, we requested the recipient of the “assist” e-mail deal with if this was the proper deal with to reveal a security publicity involving TeaOnHer person information.
“You need to have us confused with ‘the Tea app’,” Lampkin replied by e-mail. (We hadn’t.) “We don’t have a security breach or information leak,” he mentioned. (It did.) “We’ve got some bots at most however we haven’t scaled large enough to be in that dialog but, sorry you have been misinformed.” (We weren’t.)
Glad that we had established contact with the proper particular person (albeit not with the response we obtained), information.killnetswitch shared particulars of the security flaws, in addition to a number of hyperlinks to uncovered driver’s licenses, and a replica of Lampkin’s personal information to underscore the severity of the security points.
“Thanks for this data. That is very regarding. We’re going to soar on this proper now,” mentioned Lampkin.
Regardless of a number of follow-up emails, we now have not heard from Lampkin since we disclosed the security flaws.
It doesn’t matter should you’re a one-person software program store or a billionaire vibe coding by means of a weekend: Builders nonetheless have a duty to maintain their customers’ information secure. When you can’t maintain your customers’ personal information secure, don’t construct it to start with.
In case you have proof of a preferred app or service leaking or exposing data, get in contact. You possibly can securely contact this reporter by way of encrypted message at zackwhittaker.1337 on Sign.
