Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
Maybe I’m just getting old, but the idea of “verifying” my real identity to a faceless website or mobile app is abhorrent.
I guess it doesn’t help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.
Can’t help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.
California, Utah, Texas all have laws now requiring age verification to use an app store
If you think that’s the same thing, you don’t understand at least on of those things, but safe money is both…
I’d be interested to know how that works with F-Droid or Aurora.
What if they take people’s biometric aka fingerprint and to view nsfw stuff you goota use the biometric and I am not talking about passkey
What if they fucked right off and left parenting what kids do on their devices to their parents?
How does having my fingerprint prove my age.
The issue is, at some point, they have to connect your “digital you” to your self as a real person, after that they can track you, keep tabs on you. If that data was ever stolen, or a corrupt government rose to power, you’re really screwed.
Yeah. If it did.
I thought 4chan shut down permanently like 2 months ago?
They found someone to update the PHP version to one released this decade.
Nah they came back online after like 2 weeks I think?
Cancer can return after going into remission for a while.
I would not under any circumstances give my drivers license to a for profit app. I don’t even like to give my email.
apparently there’s some law in the UK that mandates it now 🙄
And many republican US states.
Thank fuck for VPNs, although it now wants to show me hot milfs in Brussels.
Something something Vegemite sandwich
Also California
Well UK, have the day you voted for I guess
I’d like to blame the voting system for the lack of meaningful voting options.
Unfortunately this is the better of the two main parties. This isn’t republicans winning because dems didn’t vote. Labour won, and this still went through. The UK government as a whole has been on an anti porn brigade for decades. I can’t wait for the day labour and the Tories just die off.
Technically the act passed in 2023 under the Sunak government.
That said; I can’t seem to find a vote breakdown and I would not be at all surprised if labour also backed it.
I’m hoping enough public dissatisfaction leads to labour repealing it but I won’t hold my breath.
The next PM of this country will be the one who promises to bring back all the porn.
Not sure if this is ironic that the users are now less safe after using the safety app. But I still feel bad for the users. Dating is hard enough without the fear of being harmed.
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
I don’t quite understand the outrage in the thread. I’ve been looking through the comments, trying to see if this ever went beyond gossip and I can’t find anything.
From my understanding the app was intended to be a safe space for women to discuss dating. Relaying information about dangerous individuals, or people who cheat. I can imagine that things might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed? Besides, women, and men have been gossiping behind each others backs for as long as humans have existed. An anonymous app makes it significantly worse certainly, but it is what it is. This behavior is always going to exist for better or for worse. For example, people already discuss this on sites like fetlife since the risk of ending up with someone who wants to batter you for the sake of battering you is somewhat high there.
Surely we can have some sympathy for people who have had their identifications doxxed by 4chan who haven’t done anything worse than a bit of toxic gossip at most?
you’re right as far it’s intentions go. I honestly couldn’t give a rats ass about what it intended to do what I have a MASSIVE issue with is that it did the EXACT opposite of what it “intended to do.”
It didn’t provide Women with a “safe space” because women’s government issued IDs and their personal selfies were, quite literally, OUT IN THE OPEN. It opened Women who used the app to way more harm.
Their database, and i’m being extremely generous when I call it that, wasn’t even password protected. not even a simple plain text password like “password123” there was NO password. at all. period. All I would have had to do was simply see where the app sent the scanned ID’s, open a terminal, SSH into it WITHOUT A PASSWORD OR KEY, and then I now have access to the IDs of over 13,000 Women. Hell I probably wouldn’t have even had to SSH into it, probably could have opened the damn thing from a web browser.
So when the media is saying 4chan “leaked” this stuff again they’re being generous. It’s like if you were walking down the street that Tea lived on and you noticed they left their door wide open so you decided to peak your head inside and while peaking your head in you noticed a box right by the door that had thousands of IDs in it so you picked up the box and walked out. Chances are other people got to this box before 4chan did, many people probably did, it’s just that 4chan were the only ones to say “Hey I found this house with a wide open door and decided to pick up this box with all these IDs in it, neat huh?”
None of this is what I am discussing. I’m talking about the people in the thread who are saying that these people deserved this.
Are you the only one allowed to bring up points of conversation? Let them say their part
Sorry if that came off the wrong way. I more so meant it to point out what I intended in case there was a misunderstanding.
Why not address them directly?
might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed?
Well considering the app has profiles of guys with pics all uploaded without their consent or even awareness, and in addition to unaccountable anonymous gossip, the “pro” features include their entire background, address, phone number, etc? I’d say the doxxing app got it’s users doxxed and it’s really sort of a wash. I don’t even use facebook or post pics online and now people dumb enough to upload their ID can upload unremovable pictures of me? Cool.
Imagine if there was a site for just guys to upload pics of cheating women without their consent and shit talk them anonymously without any verification of their claims, and if they pay a fee it includes her address and phone number and criminal record. Nobody would be cool with that. This isn’t different.
Never upload PII to social media
Your privacy is not legally protected.
Tell that to UK citizens. They have to. To be “protected”. The irony
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let’s say the subnet was 192.168.2.0/24.
Weird things were happening, I was being lazy and wasn’t directly connected to the network, may have setup a VPN between devices somewhere; can’t really remember. But pings would sometimes drop or blow out to 100’s ms.
I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn’t have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.
Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I’m from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.
It was an interesting day.
Uh… you can’t just “expose a LAN network to the Internet” in this manner. Local subnets aren’t routable over the Internet, so you can’t just enter 192.168.2.3 and end up on somebody else’s private LAN.
https://www.geeksforgeeks.org/computer-networks/non-routable-address-space/
They would have needed to either have all their internal devices being assigned public IP’s or had NAT+firewall rules explicitly routing ports from their outside address(es) to the inside ones. The former is unlikely as normally ISPs don’t allocate that many to a given client, or at least not by DHCP. the latter would require a specific configuration mapping the outside addresses/ports to inside devices, likely on a per device+port basis.
Either your story is missing key details or you’ve misunderstood/made-up something.
They did indicate that the subnet they provided in the example was not the actual one they used.
I worked for a ISP. A cable company. We were getting our local offair channels from a site that was in easy reception of them. They had a large amount of bandwidth and did the same thing for dish and direct tv. The man who ran network side had a stroke and died. The hack that ran the broadcast side of their main business took over. Next thing I know I’m having all kinds of problems with our multicast tunnel. I port scanned the IP range and discover they have opened the whole thing up. We had a conference call where I detailed my concerns. Later that day the hack called my boss with his boss on the line and we had another meeting where I told them that they were exposed with default passwords and it could be a real problem.
After I was given verbal permission to demonstrate my concerns with some limitations I took over all default password equipment and sent a large amount short stories to their printers. I ended it with the story superiority by Author C. Clark. Some back and forth a day later and they needed a new sysadmin.
illegally gaining access to a computer system
This is also The legal Definition applied in Germany (with the only difference being, that in Germany it is "gaining access to a system not meant to be accessed). The problem with this is, that everyone who finds security breaches is at threat to be punished for it, even if they ethically disclose it. There have been various cases of ethical hackers receiving fines for disclosing security vulnerabilities.
Same in America. Someone who found a government website had SSNs just sitting in the HTML was almost prosecuted for viewing the raw HTML after ethically disclosing it.
The term has had so many definitions its not really meaningful.
To a normie, turning the pull tab on a beverage can around so that it holds a straw is a “hack.”
The storage facility concept is kinda close, if you count it as “a storage facility beside a major intersection in a big facility, with the locker doors left open despite meant the warning at the front desk not to do so”
Soft rules have never applied to the internet.
Things that you wouldn’t do afk, just because “those are the rules”, doesn’t apply when every empathy damaged person in the world with an internet connection can break them.
Well said.
They also said they deleted IDs once users were verified. The breach proved that to be an outright lie.
Criminal negligence.
Hungry data privacy lawyers when they learned about Tea this week:
Reading these incredible comments has revealed a large piece of what was named as the reason for lemm.ee shutting down.
what was that?
Moderation.
I had been under the impression that 4chan had also basically died due to their own site getting hacked
It’s not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.
the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it’s back to business as usual
most of the admins were revealed to have .gov emails
I remember reading that this was something someone just made up and was spread a bunch, but wasn’t true at all.
Oh my god that’s… So stupid, i hate this time line.
Dirty water that would behave no different if you sifted out the proteins.
That which has no life can never truly die (or something)
That is not dead which can eternal lie, and in strange eons even death may die.
I think?
deleted by creator
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
EDIT: Also, lol, this arguably is not even largely a hack.
These idiots just had everything stored in a fucking publically accesible firebase bucket… amazing.
They didn’t delete anything they claimed to.
Either way you look at it, anywhere on the spectrum from:
A ] A bunch of women reasonably concerned for their safety
B ] A bunch of gossip mongers
… well, they’ve now all been doxxed, ironic from each angle.
What a fucking disaster.
if that’s truly how the leak happened then these people, in any reasonable jurisdiction, would be considered criminally negligent, at the least.
yay compsci ethics courses :D
boo courts failing to uphold the law >:(
Hooray two tiered legal system, huzzah!
/s/s/s
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
This is more like the door was left open and the lights were on, and you took pictures of the artwork on the entryway walls and then left.
Except it wasn’t artwork, it was driver’s licenses. You know, things you obviously shouldn’t have access to.
At which step should it turn illegal? You accessing publicly available website? How exactly are you to know if it is supposed to be public or not, if there is not even an attempt at security?
The thing is we don’t need to come up with some absolute definition of what should and shouldn’t be illegal to talk about this case specifically. They didn’t accidentally stumble on this. They doxxed the users instead of responsibly disclosing the problem. This is extremely cut and dry.
If the story here was “I mistyped something and got to a page I shouldn’t have access to, I disclosed it to the company, didn’t dox anyone by sharing the problem, and now the FBI is after me” it would be different.
They were looking through publicly accessible buckets on firebase. They literally did stumble upon this by accident while going through public data. And then just told other people about what they found. Should they have disclosed it once they realized what it was instead of spreading it? Sure, morally speaking. But I don’t see how you could write a law to make this illegal without just trampling on free speech.
And then just told other people about what they found.
That’s a weird way to say they doxxed people instead of ethically disclosing what they found. Hiding that detail is why I have a problem with defending this.
If someone steals something they didn’t know belonged to someone (say through an unlocked door), should we prosecute them? I don’t know. What did they do next after they found out they shouldn’t be there? Did they give it back and tell the building owners “hey, you have an unlocked door” or did they yell to the street “hey everyone, come get free stuff!” How did they behave once they knew they did something wrong.
From what I have seen, they initial guys shared a link to the database, not any content. The equivalent of telling people: “Look at this unlocked door I found.” They did not “steal” anything as far as I know.
Also, the analogy doesn’t work either. What if it really was intended to be public? Making a copy is not analogous to stealing something, it’s analogous to taking a picture.
PS: Maybe to make it clearer what I am thinking of. A real court case that happened: A person found a bunch of documents on a government website, just sitting there. He decided to share them. Turns out they were not supposed to be public. The government tried to prosecute the guy who had no idea the files were not public. They thankfully lost.
How can it be the responsibility of a person to try to figure out if these files are supposed to be public or are public on accident? Yes, these guys had a good guess that this was an accident, but so what. We don’t prosecute people for having good guesses.
Damn, do you think this link I found that has a ton of women’s drivers licenses is supposed to be public? Better share it to 4chan. They’ll know what to do.
My friend came over and told me a story about this crazy date she was on. The guy love bombs her, sets her up with a massage, then in the morning, goes out and eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs.
I shared that with my discord group and someone said they know that guy too.
Im assuming that’s what Tea is for.
Wait what? How does one ghost and then repeat love bombing? Also why is eating breakfast alone remarkable? Tf is happening?
Im guessing he’s being way too pushy and overbearing, then goes no contact for two weeks, then repeats the process.
You yadda yadda yadda’ed over the best part.
And what part is that?
What did he order at McDonald’s?
sets her up with a massage, then in the morning,
What happened between the massage and him ditching her to eat breakfast?
You don’t have to go home but you can’t stay here: https://www.literotica.com/stories
No, I mentioned the bisque.
…eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs
Something something “cheat day”
Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform
Since sensitive data was put on a public bucket, maybe they meant it was their lowest priority?
