• pivot_root@lemmy.world
    link
    fedilink
    English
    arrow-up
    113
    ·
    3 months ago

    Tea was storing its users’ sensitive information on Firebase, a Google-owned backend cloud storage and computing service.

    Every time. With startups, it’s always an unsecured Firebase or S3 bucket.

    • NeilBrü@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      edit-2
      3 months ago

      I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?

      • zqps@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        3 months ago

        It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.

        Obviously there are ways around this too, but it’s not just “use TLS”.

        • NeilBrü@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          3 months ago

          Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.

          Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?

          Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.

          Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.

          Edit: I don’t know why I’m down-voted. My questions were sincere.

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            3 months ago

            You’ve got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That’s like WEBDEV99 (remedial course, not even 101).

            Really. Despite your stated “noobishness”, you basically landed in the territory of best practices right of the bat.

            If you’re looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/

            • NeilBrü@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              3 months ago

              Brother, I need the “remedial” lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.

              I’ve followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I’m doing okay but I have this ever-present anxiety that I’ve overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.

              Thank you for your recommendation.

        • Chulk@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          3 months ago

          Wouldn’t some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?

          Maybe I’m not understanding the gist of the problem

          • zqps@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            Exactly, it’s not necessary. It’s bad / lazy design. You don’t expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That’s normal Client-Server-Database architecture.

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            Yeah. You also landed on a correct thought process for security. Cloud providers will let you make datastores public but that’s like handing over a revolver with an unknown number of live chambers and saying “Have fun playing Russian roulette! I hope you win.” Making any datastore public facing, without an API abstraction to control authN and authZ is not just a bad practice, it’s a stupid practice.

      • GissaMittJobb@lemmy.ml
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.

        The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.

        • NeilBrü@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          3 months ago

          As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.

          Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?

          Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.

            There’s nothing to forgive. Asking questions and being curious is how you learn this stuff.

            Is it really just permission rights “over-exposure” issue?

            From what I’ve read, it’s more fundamental than that. It’s a basic architecture issue. The datastore was publicly accessible, which it should never be. If they had it setup according to best practices, with an API to proxy access and auth, the datastore’s permissions would be of minimal consequence, unless their network was compromised (still best practice to secure it and approach with a zero-trust mindset).

            Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?

            Generally, cloud datastores handle encryption/decryption transparently, as long as the account accessing data has authorization to use the key. They probably also didn’t have encryption setup.

            Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?

            Here are some more resources:

    • Kalothar@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 months ago

      My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.

      They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated

        • Kalothar@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          I get doing that in Dev for testing before launch, but in production? that’s insane.

          Like it has to either be a junior developer playing the role of lead or some serious lack of web dev fundamentals haha

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            I’d argue that it should not even be done in Dev. Dev, staging/testing, and prod environments should all be as close to one another as possible, especially for infra like datastores.

    • Cid Vicious@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      26
      ·
      3 months ago

      I mean, yes, but does that take priority over women who are worried about their safety? There’s been women doing this over local Facebook groups for a long time. Defamation of this sort is not a new issue.

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        1
        ·
        3 months ago

        It was defamation the entire time just because somebody made it an app rather than a Facebook group doesn’t make any difference. It was always a crap thing to do.

        Of course Tea took it to an entirely new level of stupid.

        • Cid Vicious@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          19
          ·
          3 months ago

          It was potentially defamation when it was just women…talking to one another, too. This seems like a pretty solid case of men looking at something women do to protect each other, and saying “…but what about the men who could be negatively affected in some cases?” I also think the tone in which this is being discussed is pretty revealing about Lemmy’s demographics.

          • discount_door_garlic@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            the app is called TEA - it is a gossip vector masquerading as a safety mechanism, and people are making all sorts of claims about innocent people they had a bad date about, including their full name, location, workplace, pictures of their face - and accusing them baselessly in some (or most) instances of violent crimes.

            If you can’t see how not only that wouldnt make women safer, but instead is a black mirror episode - there’s something wrong.

            People against this app aren’t against women’s safety, and they dont necessarily believe our current systems and protection are adequate - but getting lynched by half a city because of a jaded ex is not a solution and is a crime of its own.

            I mean half the posts on similar Facebook groups complain about the men being “narcissists” yeah its a shitty personality trait but thats clearly not a fucking safety issue, its about gossiping and doxxing people.

      • QueenHawlSera@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        15
        ·
        3 months ago

        Considering even the mere accusation can ruin someone’s life? Yes.

        The problem isn’t women don’t deserve to be safe, the problem is we cannot just give people powerful weapons with no oversight or burden of proof to be deployed simply because a date didn’t go well.

        Facebook or App, the danger is too great

    • betterdeadthanreddit@lemmy.world
      link
      fedilink
      English
      arrow-up
      107
      arrow-down
      1
      ·
      3 months ago

      You sign up and then a while later, your personal information gets leaked to the public. Not sure what its other purpose is.

      • ORbituary@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        1
        ·
        3 months ago

        That’s corporate social media/apps in general. Does this thing basically let people list crappy things that happened to them by specific humans?

      • Captain Aggravated@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        3 months ago

        You could easily convince me that it was a brilliantly executed honeypot. It’s just too damn poetic.

        “It’s a women’s safety app” No it wasn’t. This app was about women’s safety as much as the recent payment processor porn game censorship bullshit was about child safety. This was about slandering men for fun because women love gossip. The app’s name was “Tea.”

        Not a single woman who signed up for this app stopped to think, “Here’s a brand new app, just came out, has no track record, no reputation. I don’t know who runs this. I don’t know how they secure their database. I know what they’re asking, they want a picture of my government-issued ID. We’ve spent the last two decades reading news headlines of the pattern “tech company was hacked, 2.2 million users compromised including emails, home addresses and SSNs” on a weekly basis. There hasn’t been a week gone by since Dubya was president that hasn’t happened.”

        The women who uploaded pictures of their IDs to some app really had their own safety in mind. Turns out you can short circuit that whole process with hilarious ease if you say things like “women only” and “slander your exes.”

        I don’t think I could have constructed a better example as to why all the recent “prove your identity” shit is comprehensively retarded.

  • blitzen@lemmy.ca
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    2
    ·
    3 months ago

    I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.

    So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.

    It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.

    • Ilovethebomb@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      3 months ago

      It would be interesting to see something similar that required accusations to be backed up with evidence. Police reports, court proceedings and results, news articles etc.

      It would also be a lot safer, legally speaking, for the service provider.

      • blitzen@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 months ago

        Something like Megan’s law but for domestic violence. I’m still not thrilled with the potential for abuse, but at least it wouldn’t be hearsay.

        I’m sure the police unions would object, for obvious reasons.

    • jpeps@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.

      • blitzen@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        There’s no “matching” on this app, because men aren’t allowed. By its very design, you can’t avoid the unilateral one-sidedness.

        • jpeps@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          Sorry, I do understand that, I was just thinking of an improvement that might help. I thought having the same phone number might work too but that gets dodgier.

  • atk007@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    3 months ago

    Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.

    • GreenKnight23@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      that’s a great(terrible) idea for a sex trafficking psyop. just get yourself a female spokesperson and make it a platform that gives a voice to women who have survived abuse. they’ll willingly give you all their information on where to find them and their psych profiles on how to manipulate them.

      fucked up, but really shows how fucked up apps are in general and how much power we give to them over ourselves.

  • Vanth@reddthat.com
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    2
    ·
    3 months ago

    I think of the “bad” dates I would want to be able to warn other women of that didn’t rise to the level of calling the cops. The guy who ordered triple the food and drinks I did and skipped out on the bill. The guy who flat out lied about multiple things and then got irate when I politely excused myself from the date. The MAGA weirdo who went on an unhinged rant about how I needed to submit to him because God said so. I imagine some men have comparable experiences with some anti-social women. The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.

    I would prefer the dating apps themselves have some mechanism for disincentivizing anti-social behaviors. It would have to be more than a simple 5-star rating.

    I wonder how it would work IRL to offer the ability to write a few sentences in response to prompts about a date. The written review is not published as-is, but is used in grouping of many reviews to give a summary about a person. Like the summary product reviews on Amazon now. “Bill’s dates found he was prompt and polite. Some dates expressed discomfort at some of his political views” and “Bob’s dates warn he is often late and is quick to use foul language to describe women. Multiple dates report no intention to communicate with Bob further”. “Ben’s dates report he has skipped out on the bill repeatedly, and sends unsolicited dick pics. Multiple dates have blocked him”.

    The group summary gives a buffer so the person reviewed doesn’t know which specific date said what. And ensures the summary doesn’t include negative comments about a person unless multiple dates of theirs independently report similar experiences.

    Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than “Tea” is.

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      3
      ·
      3 months ago

      The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.

      What about a guy who had a panic attack in the very beginning and couldn’t stop talking about his deceased dad, then about aunts and uncles, then about the dog, then about architecture, then didn’t get the hint because of all the shaking, got petrified when hinted at an alcohol element in the continuation of the meeting and in the end didn’t even understand a very direct hints at “only silence can save this” and having at least a sleepover?.. Who only became kinda normal after taking a sedative next morning, still shaking.

      Just describing one negative experience I have provided in the past, and that while yeah, it wasn’t too cool - maybe lifelong shame is not what I deserve for that …

      (Yes, I know that girl was a hero)

      The group summary gives a buffer so the person reviewed doesn’t know which specific date said what. And ensures the summary doesn’t include negative comments about a person unless multiple dates of theirs independently report similar experiences.

      That can’t be done without somehow verifying identities of all the people involved. Unless the review app is the same as the dating app. Then there are various technical variants, like some cryptographic connection between the reviewed person’s identity, the token representing one date, and a temporary identity for the reviewer, used to sign the review message. Something like that.

      But that only for the entity doing the summary, which will have to be trusted with the original reviews. And that “buffer” will remove any kind of verification, unless it’s something egghead-smart like a smart contract forming the review on every client, which means every client can also see the original reviews. So I dunno.

      Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than “Tea” is.

      Honestly things like this should work like some hybrid of Briar and Freenet. Just entrusting it to a centralized service is as stupid as using Facebook. And in this specific case Briar model is kinda fine - if you synchronize with everyone using the application. You don’t need to have the reviews from everyone about everyone, just about people roaming the same general area.

    • QueenHawlSera@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      14
      ·
      3 months ago

      It can be both.

      So many problems are caused because society assumes cisgender women are always victims and anything that looks like a man if you look at it long enough is an abuser.

      • SoftestSapphic@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        2
        ·
        3 months ago

        It’s just original Facebook but for women to rate and bully men instead of Mark and his scum bros using it to rate and bully women.

    • Captain Aggravated@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      Well, we know what to bait a honeypot with. “Gossip about/slander men right here! To prove you’re a woman, insert your photo ID, bank details, credit card information, finger prints and retinal scans.”

  • PotatoesFall@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    55
    ·
    edit-2
    3 months ago

    Wow just two days ago I see a post about how Lemmy is dominated by men and how that could become a problem, and today I see a comment section where all the incels come out of the woodwork.

    “waaa somebody wants to solve a problem that has never affected me I’m the victim”

    “omg what if people talk behind my back they might find out I’m an asshole? literally 1984”

    “wadabout if this app was racist?!? checkmate”

    I’m not saying this app is good or bad (I can definitely see the problems) but if an article about cybersecurity gets posted and this is our first reaction, makes me lose hope in Lemmy.

    Edit: Responses have made very good points and I think I was off, thanks guys. I still think some of the early comments I encountered were rather reactionary

    • 9bananas@feddit.org
      link
      fedilink
      English
      arrow-up
      32
      arrow-down
      1
      ·
      edit-2
      3 months ago

      i mean…an app directly copying a black mirror episode (but almost exclusively targeting a specific demographic) does ring some very, VERY loud alarm bells…

      like, this is literally the plot of nosedive.

      it’s a social credit system.

      and none of the people even know they HAVE a score, so it’s somehow even worse than the fictional scenario.

      this will, absolutely, hurt innocents and it will do so by design.

      “fuck them innocents!”…just because they happen to be men?

      how is that anything other than misandrist?

      how is that defensible?

      how is doxxing, mass libel, and targeted harassment a solution to sexism and rape culture?

      I’d be really interested in hearing anything about how this is supposed to help women, because i struggle to see how sowing massive, unearned distrust between men and women is going to make anyone any safer…

      I’m really, REALLY glad that the GDPR would nuke this sort of nonsense from orbit…uploading pictures of strangers, for the explicit purpose of gossiping about them behind their backs, spreading awful rumors?

      what. the. actual. fuck. is wrong with you people?

      and i don’t mean women, or men: i mean americans and their total disregard for privacy and digital safety. what the hell…

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      3 months ago

      “waaa somebody wants to solve a problem that has never affected me I’m the victim”

      Everyone has the problem that they’d want to discuss others behind their back. It’s not accepted because it doesn’t work to any good end.

      “omg what if people talk behind my back they might find out I’m an asshole? literally 1984”

      You won’t find out anything from this. People sometimes lie, especially in such situations.

      but if an article about cybersecurity gets posted and this is our first reaction, makes me lose hope in Lemmy.

      Human adequacy is a big part of cybersecurity.

    • Ilovethebomb@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      3
      ·
      3 months ago

      You make a valid point, this platform absolutely shits on anyone without technical knowledge, just look at the hundred or so smug replies telling you what flavor of Linux they run if you mention a problem with Windows. So, no surprise everyone is focusing on that, and not the human aspect here.

      Having said that, there is a power imbalance to this that I really don’t like, the accuser gets to hide behind a veil of anonymity, and the accused has their name published, and is forced to defend themselves.

      • suburban_hillbilly@lemmy.ml
        link
        fedilink
        English
        arrow-up
        10
        ·
        3 months ago

        So, no surprise everyone is focusing on that, and not the human aspect here.

        This is a technology community and the article is specifically about a security breach that exposed massive amounts of sensitive user data.