An anonymous reader quotes a report from 404 Media: Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples‘ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media. In a statement to 404 Media, Tea confirmed the breach also impacted some direct messages but said that the data is from two years ago. Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
„Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,“ a post on 4chan providing details of the vulnerability reads. „DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!“ The thread says the issue was an exposed database that allowed anyone to access the material. […] „The images in the bucket are raw and uncensored,“ the user wrote. Multiple users have created scripts to automate the process of collecting peoples‘ personal information from the exposed database, according to other posts in the thread and copies of the scripts. In its terms of use, Tea says „When you first create a Tea account, we ask that you register by creating a username and including your location, birth date, photo and ID photo.“
After publication of this article, Tea confirmed the breach in an email to 404 Media. The company said on Friday it „identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact.“ The company says the breach impacted data from more than two years ago, and included 72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages). „This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention,“ the email continued. „We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, there is no evidence to suggest that current or additional user data was affected. Protecting our users‘ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure.“
Read more of this story at Slashdot.