- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
You must log in or register to comment.
People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.
At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.
Nope. That’s the app. “Anonymous” sharing of pictures and info of other people. Presumably without their permission. That’s fucked up.
Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.
On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven’t done anything wrong - just the whole concept feels very gross.
You could ask someone you know to register and share the login, it’s a flawed concept. There’s probably a bunch of partners in there who didn’t even know their boyfriend used their info to create an account to check on themselves.
Especially because the app is called “tea”, like the slang term for gossip. The letter of the intention may have been good but the whole thing is toxic.
removed by mod
as a woman or woman categorized person
Can’t tell if you’re being transphobic to trans femmes or supportive to femme leaning enbies.
Well im talking about external interpretation of ones identity rather than one’s intended expression, so you figure it out. Or don’t.
I’d say that’s supportive of femme leaning enbies rather than transphobic towards trans women.
There are other things it could be. Interperet as you like.
Bruh
I kniw right? Its pretty fucked, but sometimes belief that people, or even men, are mostly good gets you raped or crawling through a puddle of your own blood with fewer than four functioning limbs.
Cynical bitches like me though; we tend to make it out.
…
k
That’s terrible.
Have an upvote.
My problem is how it’s implemented.
An app where you simply post a name and a location, and then people can DM you with their experiences directly, would be a lot less invasive.
I think it depends on people’s intent and purpose for using this service. I’m overall not a fan of someone taking and sharing pictures of me without my consent, or making claims that can’t be defended…
The group of women legitimately using it for safety is fine, in a general sense.
The group of women using it as gossip and entertainment is not.
Considering that “tea” is common slang for gossip I’m not convinced there was many of the
latterformer.Given that the app name is slang for gossip, you’re not convinced there were many women using it for gossip?
Thanks I fixed it
It makes sense using it for safety, but I would worry about whether all the information on there is accurate. Most of the feedback on the app is probably negative, I doubt anyone would really post anything on Tea that’s positive about their former partner. But people like to believe they are in the right. Someone who got in a fight with their partner might post something on Tea that isn’t accurate, but makes them feel better since they can spin the story how they want, and make the other person at fault. However, unlike regular social media, the person being attacked by their partner on Tea has no idea that it happened, and no way to refute what was said. It promotes the opposite of any type of communication between partners after a fight or breakup. It promotes safety, but at the same time it promotes some toxicity in relationships. What would you think if you knew that if your got into a disagreement with your partner that you could end up posted on this app, without any way of arguing back?
I would not under any circumstances give my drivers license to a for profit app. I don’t even like to give my email.
apparently there’s some law in the UK that mandates it now 🙄
Thank fuck for VPNs, although it now wants to show me hot milfs in Brussels.
Something something Vegemite sandwich
Well UK, have the day you voted for I guess
I’d like to blame the voting system for the lack of meaningful voting options.
Ed Davey, I can’t imagine Bad Enoch doing anything and Labour were the ones to implement this.
Unfortunately this is the better of the two main parties. This isn’t republicans winning because dems didn’t vote. Labour won, and this still went through. The UK government as a whole has been on an anti porn brigade for decades. I can’t wait for the day labour and the Tories just die off.
Technically the act passed in 2023 under the Sunak government.
That said; I can’t seem to find a vote breakdown and I would not be at all surprised if labour also backed it.
I’m hoping enough public dissatisfaction leads to labour repealing it but I won’t hold my breath.
The next PM of this country will be the one who promises to bring back all the porn.
Also California
And many republican US states.
This is what happens when you decide to vibecode a service with zero attention to safety or web development. This is why you don’t immediately jump onto a new service without it being vetted properly. Now one of the worst communities on the Internet is in possession of over a hundred thousand women’s driving licenses and faces. This is going to be an absolute disaster.
This is ALSO why no service should ever require or get my driver’s license information. Fuck that. Also, yet another Constance to those who can’t afford a car or want to improve the environment by living car free.
My only exception to that are uber drivers. But then again we live in an age where somehow better help has become popular, even though they sell your data.
I disagree on even that. It should be enough to have some trusted “notary” tick a box that they have verified your driver’s license as valid. It should not be stored out sent anywhere at any time. Just showed to a human. Regularly, if needed.
The only site I ever felt comfortable scanning shit like that into was a site that sold things only to military/medics/fire fighters so I had to upload my medic license and my FF cert.
Anything beyond that is a no go from me.
Instead, just prove you have a credit card by submitting the details. Also totally safe. Be sure to include the CVV, please!
How is something “vetted properly” and how do I find out about that?
You wait a while until something like this happens.
I honestly don’t understand what op is talking about.
Leaks happen all the time, even in billion dollar companies.
Their comment is the equivalent like, “This is why you should lock your doors!” Like uh okay.
This situation would have been easily preventable with basic understanding of what they’re doing is what OP is saying. This leak is not something highly complex, it is painfully stupid on the side of the developers.
There’s a difference between a hack, where data is exposed, compared to data exposure due to negligence or ignorance on the development side.
Again, how should the end use know anything about what is going on at their end? How does anyone “vett” that? It is a nonsense “argument” to put blame on the users.
Where I’m from there’s certificates a company can get, that confirm a certain level of process and IT security. Also a company existing for at least 5-10 years without incidents is a “vetted” company in my books. At least anything that managed to produce a working IT system before 2021 when AI came around.
I also believe there’s a bit of bad wording going on with the original comment. Take it up with that guy, lol.
This was more like leaving all your valuables in a cardboard box on your front lawn. Anyone can just take it, if they care to look inside the complete unsecured box.
Someone just drove up and tossed the box in their truck. No lock involved.
Deutsch ≠ English
Schau mal nach, in welcher Sprache die Wikiseite ist…
I assumed people would be able to find Wikipedia’s “switch language” button and Datensparsamkeit has a better fit here that would be lost in translation.
I love how people just jump on whatever they like, instead of actually thinking about the stuff they read/comment on/upvote. Exactly like on Reddit, no difference.
How strange that a site designed exactly like reddit behaves like reddit.
The thing is that many here think they are better, they look down on Reddit. There is a certain shift in what demographic switched over but generally it is the same.
I thought they were looking down on the owners of reddit, not the user base.
This is something I worry about all the time as well, especially since I’ve started to learn how to code and experienced how easy it is to mess up and send a list with all registered users to everyone opening a page. (This was in a test environment.)
As a user, there is no proper way I know of to verify an app’s security. Most apps are closed source, but even if you could view the code, what would you look for?
Both Apple and Google have a verification process for apps that are published in their app stores, but if these worked, we wouldn’t see this happening.
There are academic researchers working on apps and privacy as well, but it’s not like you can ask them for a report on an app you’re thinking of installing.
I think it basically comes down to trust. Check if a developer has messed up in the past and how they dealt with that, that sort of stuff. And for dating apps there is this interesting article: https://www.privacyguides.org/articles/2025/06/24/queer-dating-apps-beware-who-you-trust/#reducing-the-risks-when-using-dating-apps
It’s a long read (haven’t fully read it myself yet) and it paints a bleak picture, but that’s the world we live in today.
You can pay for a 3rd party to penetration test your app, it’s good practice to do this before you launch an app, after any significant changes, and annually at a minimum.
There are also a growing number of companies offering continuous penetration testing - basically, automated pen tests - but these are expensive and it’s difficult to convince companies that the cost is worth it
Thanks, that’s good to know! If I do ever decide to release an app, I’ll definitely look into this.
Now now, I like to shit on vibecoders too but let’s not pretend this is some new problem.
Idiots leave databases on cloud servers exposed all the time rather than deal with their companies often arcane rules for generating certificates
Remember when the government published SSNs in HTML? https://www.zdnet.com/article/missouri-will-not-prosecute-hacker-reporter-for-daring-to-view-state-website-html/
Where do you think the AI learned it?
Like, I get that competent coders do it too, but now any skiddie with an idea can cosplay as a developer so this is going to be so much more prevelant
That’s not new, either.
To be fair, I’m not sure why firebase even has a public access option. That’s a recipe for issues.
Though if it’s anything like Google Cloud Store, they hopefully make it very clear that your bucket is public.
Anybody oblivious enough to create something like this isn’t someone you should trust your most private data with. This service had red flags from the concept phase, never mind the execution.
This is not to say, of course, that the victims deserved it. It just really sucks that they had to learn this lesson this way.
“Vibe coded” you just made that up didn’t you, because you don’t like llms. I don’t see anything in the article about “Ai” and this service has been operating for 2 years.
My thoughts as well. But hey, it’s lemmy! Just accuse someone of doing something we hate, good to go!
The og 4chan post brought up the vibe coding. Using it as an insult to quality is wider spread than just lemmy.
Maybe I shouldn’t have used the term vibe coded. I apologize.
Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform
Since sensitive data was put on a public bucket, maybe they meant it was their lowest priority?
Never upload PII to social media
Your privacy is not legally protected.
Tell that to UK citizens. They have to. To be “protected”. The irony
I live in the UK and, like nearly everyone else in the UK, have never been required to do this. The only time it’s required is when accessing adult-only sites, and there are some obvious workarounds in those cases, yarr.
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
EDIT: Also, lol, this arguably is not even largely a hack.
These idiots just had everything stored in a fucking publically accesible firebase bucket… amazing.
They didn’t delete anything they claimed to.
Either way you look at it, anywhere on the spectrum from:
A ] A bunch of women reasonably concerned for their safety
B ] A bunch of gossip mongers
… well, they’ve now all been doxxed, ironic from each angle.
What a fucking disaster.
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
This is more like the door was left open and the lights were on, and you took pictures of the artwork on the entryway walls and then left.
Except it wasn’t artwork, it was driver’s licenses. You know, things you obviously shouldn’t have access to.
At which step should it turn illegal? You accessing publicly available website? How exactly are you to know if it is supposed to be public or not, if there is not even an attempt at security?
The thing is we don’t need to come up with some absolute definition of what should and shouldn’t be illegal to talk about this case specifically. They didn’t accidentally stumble on this. They doxxed the users instead of responsibly disclosing the problem. This is extremely cut and dry.
If the story here was “I mistyped something and got to a page I shouldn’t have access to, I disclosed it to the company, didn’t dox anyone by sharing the problem, and now the FBI is after me” it would be different.
They were looking through publicly accessible buckets on firebase. They literally did stumble upon this by accident while going through public data. And then just told other people about what they found. Should they have disclosed it once they realized what it was instead of spreading it? Sure, morally speaking. But I don’t see how you could write a law to make this illegal without just trampling on free speech.
And then just told other people about what they found.
That’s a weird way to say they doxxed people instead of ethically disclosing what they found. Hiding that detail is why I have a problem with defending this.
If someone steals something they didn’t know belonged to someone (say through an unlocked door), should we prosecute them? I don’t know. What did they do next after they found out they shouldn’t be there? Did they give it back and tell the building owners “hey, you have an unlocked door” or did they yell to the street “hey everyone, come get free stuff!” How did they behave once they knew they did something wrong.
From what I have seen, they initial guys shared a link to the database, not any content. The equivalent of telling people: “Look at this unlocked door I found.” They did not “steal” anything as far as I know.
Also, the analogy doesn’t work either. What if it really was intended to be public? Making a copy is not analogous to stealing something, it’s analogous to taking a picture.
PS: Maybe to make it clearer what I am thinking of. A real court case that happened: A person found a bunch of documents on a government website, just sitting there. He decided to share them. Turns out they were not supposed to be public. The government tried to prosecute the guy who had no idea the files were not public. They thankfully lost.
How can it be the responsibility of a person to try to figure out if these files are supposed to be public or are public on accident? Yes, these guys had a good guess that this was an accident, but so what. We don’t prosecute people for having good guesses.
Damn, do you think this link I found that has a ton of women’s drivers licenses is supposed to be public? Better share it to 4chan. They’ll know what to do.
if that’s truly how the leak happened then these people, in any reasonable jurisdiction, would be considered criminally negligent, at the least.
yay compsci ethics courses :D
boo courts failing to uphold the law >:(
Hooray two tiered legal system, huzzah!
/s/s/s
My friend came over and told me a story about this crazy date she was on. The guy love bombs her, sets her up with a massage, then in the morning, goes out and eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs.
I shared that with my discord group and someone said they know that guy too.
Im assuming that’s what Tea is for.
Wait what? How does one ghost and then repeat love bombing? Also why is eating breakfast alone remarkable? Tf is happening?
Im guessing he’s being way too pushy and overbearing, then goes no contact for two weeks, then repeats the process.
You yadda yadda yadda’ed over the best part.
And what part is that?
What did he order at McDonald’s?
sets her up with a massage, then in the morning,
What happened between the massage and him ditching her to eat breakfast?
You don’t have to go home but you can’t stay here: https://www.literotica.com/stories
No, I mentioned the bisque.
…eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs
Something something “cheat day”
Not sure if this is ironic that the users are now less safe after using the safety app. But I still feel bad for the users. Dating is hard enough without the fear of being harmed.
Hungry data privacy lawyers when they learned about Tea this week:
I thought 4chan shut down permanently like 2 months ago?
Nah they came back online after like 2 weeks I think?
They found someone to update the PHP version to one released this decade.
Cancer can return after going into remission for a while.
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified
Truly impressive how little america cares about its citizens.
BUT WE HAVE FREEDUM!!!
A better rule is that PII data should never be used as a basis for auth/auth except by government agencies in the process of delivering legally mandated government services.
There should be a time limit on all data.
I had been under the impression that 4chan had also basically died due to their own site getting hacked
It’s not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.
the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it’s back to business as usual
Oh my god that’s… So stupid, i hate this time line.
Dirty water that would behave no different if you sifted out the proteins.
most of the admins were revealed to have .gov emails
I remember reading that this was something someone just made up and was spread a bunch, but wasn’t true at all.
That which has no life can never truly die (or something)
That is not dead which can eternal lie, and in strange eons even death may die.
I think?
Maybe I’m just getting old, but the idea of “verifying” my real identity to a faceless website or mobile app is abhorrent.
I guess it doesn’t help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.
Can’t help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.
California, Utah, Texas all have laws now requiring age verification to use an app store
If you think that’s the same thing, you don’t understand at least on of those things, but safe money is both…
I’d be interested to know how that works with F-Droid or Aurora.
What if they take people’s biometric aka fingerprint and to view nsfw stuff you goota use the biometric and I am not talking about passkey
What if they fucked right off and left parenting what kids do on their devices to their parents?
How does having my fingerprint prove my age.
The issue is, at some point, they have to connect your “digital you” to your self as a real person, after that they can track you, keep tabs on you. If that data was ever stolen, or a corrupt government rose to power, you’re really screwed.
Yeah. If it did.
Reading these incredible comments has revealed a large piece of what was named as the reason for lemm.ee shutting down.
what was that?
Moderation.
