- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
You must log in or register to comment.
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
Never upload PII to social media
Your privacy is not legally protected.
This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified
Hungry data privacy lawyers when they learned about Tea this week:
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
I had been under the impression that 4chan had also basically died due to their own site getting hacked
It’s not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.
That which has no life can never truly die (or something)
I don’t quite understand the outrage in the thread. I’ve been looking through the comments, trying to see if this ever went beyond gossip and I can’t find anything.
From my understanding the app was intended to be a safe space for women to discuss dating. Relaying information about dangerous individuals, or people who cheat. I can imagine that things might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed? Besides, women, and men have been gossiping behind each others backs for as long as humans have existed. An anonymous app makes it significantly worse certainly, but it is what it is. This behavior is always going to exist for better or for worse. For example, people already discuss this on sites like fetlife since the risk of ending up with someone who wants to batter you for the sake of battering you is somewhat high there.
Surely we can have some sympathy for people who have had their identifications doxxed by 4chan who haven’t done anything worse than a bit of toxic gossip at most?
you’re right as far it’s intentions go. I honestly couldn’t give a rats ass about what it intended to do what I have a MASSIVE issue with is that it did the EXACT opposite of what it “intended to do.”
It didn’t provide Women with a “safe space” because women’s government issued IDs and their personal selfies were, quite literally, OUT IN THE OPEN. It opened Women who used the app to way more harm.
Their database, and i’m being extremely generous when I call it that, wasn’t even password protected. not even a simple plain text password like “password123” there was NO password. at all. period. All I would have had to do was simply see where the app sent the scanned ID’s, open a terminal, SSH into it WITHOUT A PASSWORD OR KEY, and then I now have access to the IDs of over 13,000 Women. Hell I probably wouldn’t have even had to SSH into it, probably could have opened the damn thing from a web browser.
So when the media is saying 4chan “leaked” this stuff again they’re being generous. It’s like if you were walking down the street that Tea lived on and you noticed they left their door wide open so you decided to peak your head inside and while peaking your head in you noticed a box right by the door that had thousands of IDs in it so you picked up the box and walked out. Chances are other people got to this box before 4chan did, many people probably did, it’s just that 4chan were the only ones to say “Hey I found this house with a wide open door and decided to pick up this box with all these IDs in it, neat huh?”
None of this is what I am discussing. I’m talking about the people in the thread who are saying that these people deserved this.
Are you the only one allowed to bring up points of conversation? Let them say their part
Sorry if that came off the wrong way. I more so meant it to point out what I intended in case there was a misunderstanding.
People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.
At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.
Nope. That’s the app. “Anonymous” sharing of pictures and info of other people. Presumably without their permission. That’s fucked up.
Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.
On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven’t done anything wrong - just the whole concept feels very gross.
My problem is how it’s implemented.
An app where you simply post a name and a location, and then people can DM you with their experiences directly, would be a lot less invasive.
Especially because the app is called “tea”, like the slang term for gossip. The letter of the intention may have been good but the whole thing is toxic.
You could ask someone you know to register and share the login, it’s a flawed concept. There’s probably a bunch of partners in there who didn’t even know their boyfriend used their info to create an account to check on themselves.
Sucks it’s necessary.
You want women to not just assume youre an insane violent rape monster? Shit like this is how we know. Edit: the women who used this app were the ones who didn’t want to asdume you were all subhuman filth, who wanted to protect themselves from the ‘few bad apples’ without doing splash damage, as they saw it, to the rest of you. And it looks like those naive idiots got proven wrong. There is no way to be safe as a woman or woman categorized person wirh men in your life, except for rare and astounding luck.
Or you could, like, fix your entire gender; idk. I’m still going to hate all of you.
as a woman or woman categorized person
Can’t tell if you’re being transphobic to trans femmes or supportive to femme leaning enbies.
…
k
Bruh
I kniw right? Its pretty fucked, but sometimes belief that people, or even men, are mostly good gets you raped or crawling through a puddle of your own blood with fewer than four functioning limbs.
Cynical bitches like me though; we tend to make it out.
No sympathy from me whatsoever. The app was designed to allow these women to anonymously post personal information about other people. Fuck 'em. Turnabout is fair play. As my kindergarten teacher used to say, “you get what you get and you don’t pitch a fit”.
If by “personal information” you mean sharing their experiences with certain people … Yeah I guess.
They weren’t sharing addresses and social security numbers or drivers license numbers or other things that would lead to identity theft.
How can you not have sympathy for these women getting doxxed because they wanted to help create a safer space for one another and to help each other out? That’s wild.
This is far from turnabout, this is abuse.
Plus the whole moral aspect of such an app. While I agree that women have been mostly objectified their whole existence, this doesn’t help anyone.
We need to get rid of both superficial way of looking at each other ( women: seeking mostly young, beautiful, rich yes men, men: seeking perfect body, face, housewife stereotypes). Both mindsets are equally trash.
Agreed
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
EDIT: Also, lol, this arguably is not even largely a hack.
These idiots just had everything stored in a fucking publically accesible firebase bucket… amazing.
They didn’t delete anything they claimed to.
Either way you look at it, anywhere on the spectrum from:
A ] A bunch of women reasonably concerned for their safety
B ] A bunch of gossip mongers
… well, they’ve now all been doxxed, ironic from each angle.
What a fucking disaster.
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
if that’s truly how the leak happened then these people, in any reasonable jurisdiction, would be considered criminally negligent, at the least.
yay compsci ethics courses :D
boo courts failing to uphold the law >:(
Hooray two tiered legal system, huzzah!
/s/s/s
Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform
Since sensitive data was put on a public bucket, maybe they meant it was their lowest priority?
This is what happens when you decide to vibecode a service with zero attention to safety or web development. This is why you don’t immediately jump onto a new service without it being vetted properly. Now one of the worst communities on the Internet is in possession of over a hundred thousand women’s driving licenses and faces. This is going to be an absolute disaster.
Now now, I like to shit on vibecoders too but let’s not pretend this is some new problem.
Idiots leave databases on cloud servers exposed all the time rather than deal with their companies often arcane rules for generating certificates
Remember when the government published SSNs in HTML? https://www.zdnet.com/article/missouri-will-not-prosecute-hacker-reporter-for-daring-to-view-state-website-html/
Where do you think the AI learned it?
Like, I get that competent coders do it too, but now any skiddie with an idea can cosplay as a developer so this is going to be so much more prevelant
That’s not new, either.
This is ALSO why no service should ever require or get my driver’s license information. Fuck that. Also, yet another Constance to those who can’t afford a car or want to improve the environment by living car free.
Instead, just prove you have a credit card by submitting the details. Also totally safe. Be sure to include the CVV, please!
The only site I ever felt comfortable scanning shit like that into was a site that sold things only to military/medics/fire fighters so I had to upload my medic license and my FF cert.
Anything beyond that is a no go from me.
My only exception to that are uber drivers. But then again we live in an age where somehow better help has become popular, even though they sell your data.
I disagree on even that. It should be enough to have some trusted “notary” tick a box that they have verified your driver’s license as valid. It should not be stored out sent anywhere at any time. Just showed to a human. Regularly, if needed.
To be fair, I’m not sure why firebase even has a public access option. That’s a recipe for issues.
Though if it’s anything like Google Cloud Store, they hopefully make it very clear that your bucket is public.
How is something “vetted properly” and how do I find out about that?
This is something I worry about all the time as well, especially since I’ve started to learn how to code and experienced how easy it is to mess up and send a list with all registered users to everyone opening a page. (This was in a test environment.)
As a user, there is no proper way I know of to verify an app’s security. Most apps are closed source, but even if you could view the code, what would you look for?
Both Apple and Google have a verification process for apps that are published in their app stores, but if these worked, we wouldn’t see this happening.
There are academic researchers working on apps and privacy as well, but it’s not like you can ask them for a report on an app you’re thinking of installing.
I think it basically comes down to trust. Check if a developer has messed up in the past and how they dealt with that, that sort of stuff. And for dating apps there is this interesting article: https://www.privacyguides.org/articles/2025/06/24/queer-dating-apps-beware-who-you-trust/#reducing-the-risks-when-using-dating-apps
It’s a long read (haven’t fully read it myself yet) and it paints a bleak picture, but that’s the world we live in today.
You wait a while until something like this happens.
I honestly don’t understand what op is talking about.
Leaks happen all the time, even in billion dollar companies.
Their comment is the equivalent like, “This is why you should lock your doors!” Like uh okay.
This was more like leaving all your valuables in a cardboard box on your front lawn. Anyone can just take it, if they care to look inside the complete unsecured box.
Someone just drove up and tossed the box in their truck. No lock involved.
This situation would have been easily preventable with basic understanding of what they’re doing is what OP is saying. This leak is not something highly complex, it is painfully stupid on the side of the developers.
There’s a difference between a hack, where data is exposed, compared to data exposure due to negligence or ignorance on the development side.
Again, how should the end use know anything about what is going on at their end? How does anyone “vett” that? It is a nonsense “argument” to put blame on the users.
Where I’m from there’s certificates a company can get, that confirm a certain level of process and IT security. Also a company existing for at least 5-10 years without incidents is a “vetted” company in my books. At least anything that managed to produce a working IT system before 2021 when AI came around.
I also believe there’s a bit of bad wording going on with the original comment. Take it up with that guy, lol.
I love how people just jump on whatever they like, instead of actually thinking about the stuff they read/comment on/upvote. Exactly like on Reddit, no difference.
“Vibe coded” you just made that up didn’t you, because you don’t like llms. I don’t see anything in the article about “Ai” and this service has been operating for 2 years.
Maybe I shouldn’t have used the term vibe coded. I apologize.
The og 4chan post brought up the vibe coding. Using it as an insult to quality is wider spread than just lemmy.
My thoughts as well. But hey, it’s lemmy! Just accuse someone of doing something we hate, good to go!
Not sure if this is ironic that the users are now less safe after using the safety app. But I still feel bad for the users. Dating is hard enough without the fear of being harmed.
My friend came over and told me a story about this crazy date she was on. The guy love bombs her, sets her up with a massage, then in the morning, goes out and eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs.
I shared that with my discord group and someone said they know that guy too.
Im assuming that’s what Tea is for.
Wait what? How does one ghost and then repeat love bombing? Also why is eating breakfast alone remarkable? Tf is happening?
Im guessing he’s being way too pushy and overbearing, then goes no contact for two weeks, then repeats the process.
…eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs
Something something “cheat day”
You yadda yadda yadda’ed over the best part.
No, I mentioned the bisque.
And what part is that?
What did he order at McDonald’s?
sets her up with a massage, then in the morning,
What happened between the massage and him ditching her to eat breakfast?
You don’t have to go home but you can’t stay here: https://www.literotica.com/stories
