Tea Spilled ⇥ 404media.co
Emanuel Maiberg and Joseph Cox, 404 Media:
Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
“Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,” a post on 4chan providing details of the vulnerability reads. “DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!”
This is ghastly. It seems possible Tea did not do even the most basic step of stripping location metadata from submitted photos.
Maiberg and Cox, 404 Media:
A second, major security issue with women’s dating safety app Tea has exposed much more user data than the first breach we first reported last week, with an independent security researcher now finding it was possible for hackers to access messages between users discussing abortions, cheating partners, and phone numbers they sent to one another. Despite Tea’s initial statement that “the incident involved a legacy data storage system containing information from over two years ago,” the second issue impacting a separate database is much more recent, affecting messages up until last week, according to the researcher’s findings that 404 Media verified. The researcher said they also found the ability to send a push notification to all of Tea’s users.
Lots of apps have insecure or poorly secured cloud data buckets, and their data gets leaked, and that really sucks. Given the function of Tea and the deserved reputation of 4chan, however, this seems to be driven by motivations greater than a typical breach. In my head, it aligns with the politically motivated breaches of university data.
It is entirely possible this is nothing more than hackers getting lucky, and they were not picking Tea specifically. Fine. Tea should have anticipated the possibility it is a greater target because of the function it serves.
From Tea’s response:
Why did you require IDs prior to end of 2023?
During our early stages of development, we required selfies and IDs as an added layer of safety to ensure that only women were signing up for the app. In 2023, we removed the ID requirement.
Shoshana Weissmann, of the R Street Institute:
Security is dependent in no small part on norms. Understanding how to spot a phishing email, not to share one’s two-factor authentication code, or how to recognize a scam call are all examples of norms that bolster security. Yet when people are increasingly encouraged to share their most sensitive information — photo IDs, Social Security numbers, face scans — across websites and apps, they will begin to feel comfortable doing so. Offering up sensitive data could become a reflexive act like agreeing to terms of service documents. However, people cannot be sure how this data will be stored and used. In this case, Tea could not have been adhering to its privacy policy regarding its data storage, which before now might have assuaged fears of people concerned how their information might be stored or used. Some companies may store and use sensitive data in safer ways, but users do not have the ability to vet this. Even companies using better security practices can face hacks.
R Street is a think tank that stands for “free markets and limited, effective government”, so they will not say this, but privacy legislation would help protect users from these kinds of abuses. It was probably a bad idea for Tea to be collecting so much personal information in the first place. Yet this kind of data is routinely used in some industries, and it is unrealistic to expect individuals to figured out and monitor the privacy practices of individual services. Policies that limit data collection and retention, along with public auditing or other compliance-checking methods, can allow us to be more confident and provide remedies for bad practices and misuse.