Data Breach: Teacher Exposed Student Driver's Licenses

Data Breach Exposes Thousands of TeaOnHer Users

It is ironic that TeaOnHer, an application centered around revealing alleged dating connections, was itself responsible for exposing the personal data of thousands of its users to public access.

TeaOnHer was initially conceived as a platform for men to share photos and details concerning women they asserted to have dated. However, mirroring the security vulnerabilities of the women-focused dating-gossip app it aimed to emulate, TeaOnHer exhibited significant security deficiencies.

Security Flaws and Exposed Information

These deficiencies resulted in the exposure of users’ personal information, including images of driver’s licenses and other official identification documents, as reported by TechCrunch last week.

Apps of this nature, designed as exclusive communities, were intended to facilitate the sharing of relationship information while prioritizing user safety. However, inadequate coding practices and security weaknesses underscore the inherent privacy risks associated with requiring sensitive data submissions for app and website access.

Escalating Risks and Age Verification

These risks are projected to intensify as popular applications and web services increasingly comply with age-verification regulations.

These laws necessitate the submission of identity documents for access to adult content, despite the privacy and security concerns related to maintaining databases of personal information.

Limited Disclosure and App Popularity

Upon publishing our initial report last week, we deliberately withheld specific details regarding the discovered vulnerabilities within TeaOnHer.

This cautious approach was taken to prevent malicious actors from exploiting the flaws. A limited disclosure was chosen due to the app’s growing popularity and the immediate dangers faced by its users.

At the time of disclosure, TeaOnHer held the No. 2 position in the free app rankings on the Apple App Store, a position it currently maintains.

Vulnerability Details and Resolution

The identified vulnerabilities now appear to have been addressed. TechCrunch can now reveal that access to users’ driver’s licenses was gained within 10 minutes of receiving a link to the app via the App Store.

This was facilitated by easily exploitable flaws in the app’s publicly accessible backend system, also known as its API.

Lack of Response from Developer

The app’s developer, Xavier Lampkin, did not respond to repeated requests for comment following the submission of details concerning the security flaws.

Furthermore, Lampkin did not commit to informing affected TeaOnHer users or relevant state regulators about the security breach.

We also inquired whether any security audits were conducted prior to the app’s launch, but received no response.

Further details regarding our disclosure process will be provided later.

TeaOnHer’s ‘Admin Panel’ Credentials Were Exposed

Prior to downloading the application, our initial step involved identifying the internet hosting location of TeaOnHer. We focused on its publicly accessible infrastructure, including the website and any resources hosted under its domain.

This approach serves as a valuable starting point, enabling an understanding of the domain’s connections to other internet services.

The domain name was discovered through a review of the app’s listing on the Apple App Store. Specifically, we located the app’s website within its privacy policy, a requirement for listing on Apple’s platform. Notably, the app listing asserts that the developer “does not collect any data from this app,” a claim proven inaccurate.

TeaOnHer’s privacy policy was published as a Google Doc, providing an email address utilizing the teaonher.com domain, but lacking a direct website link.

As the website was not publicly available, we examined the domain’s DNS records. These records can reveal additional hosted services, such as email servers or web hosting configurations. We also searched for any public subdomains potentially used by the developer for app functionality or other resources that should have been secured, like admin dashboards or databases.

However, TeaOnHer’s public internet records yielded limited information, consisting of only one subdomain: appserver.teaonher.com.

Accessing this subdomain in a web browser displayed the landing page for TeaOnHer’s API. An API facilitates communication between internet-based services, such as connecting an application to its central database.

This landing page revealed an exposed email address and a plaintext password – remarkably simple – granting access to Lampkin’s account and the TeaOnHer “admin panel.”

The API page indicated that the admin panel, responsible for document verification and user management, was located at “localhost.” This refers to the server’s physical computer and may not have been directly accessible via the internet. Whether these credentials could have been exploited for access remains a concern.

At this stage of the investigation, only approximately two minutes had elapsed.

Beyond this discovery, the API landing page provided some insight into the API’s capabilities. It listed several API endpoints necessary for the app’s operation, including user record retrieval, review submission, and notification delivery.

Knowledge of these endpoints simplifies direct interaction with the API, effectively mimicking the app itself. Each API functions uniquely, requiring time to understand its operation and communication protocols, including endpoint usage and parameter requirements. Tools like Postman can aid in API access and interaction, but this process demands time, experimentation, and patience to elicit data from APIs.

However, in this instance, a more straightforward method presented itself.

TeaOnHer API Exhibited Unauthenticated Data Access

The API landing page for TeaOnHer featured a /docs endpoint. This endpoint hosted the API’s automatically generated documentation, powered by Swagger UI, and detailed all possible API commands.

Effectively, this documentation served as a comprehensive guide to all actions executable on the TeaOnHer API, both for standard users and administrators. These actions included user creation, identity verification, and comment moderation.

The documentation also enabled querying the TeaOnHer API to retrieve user data, allowing for the display of information directly from the app’s backend server within a web browser.

While publishing API documentation is a common practice among developers, a critical flaw existed. Certain API requests could be executed without authentication – no passwords or credentials were required to access user data. Consequently, unauthorized access to private user information was possible.

This vulnerability was openly and publicly documented for anyone to discover.

For instance, requesting a list of users in the TeaOnHer identity verification queue – a simple action on the API page – returned dozens of account records of recent sign-ups.

The returned records contained users’ unique app identifiers, public profile screen names, self-reported age and location, and private email addresses. Critically, they also included web links to photos of users’ driver’s licenses and corresponding selfies.

Furthermore, these photos of sensitive identification documents and selfies were stored on a publicly accessible Amazon S3 cloud server. Anyone possessing the web addresses could open these files without restriction.

Using the unique user identifier, individual user records could be directly accessed via the API page, revealing account data and associated identity documents. Unrestricted API access could have enabled malicious actors to scrape vast amounts of user data, mirroring the data breach experienced by the Tea app.

The entire process, from initial discovery to data access, took approximately 10 minutes, and required no app login. The ease with which these vulnerabilities were found suggests a high probability of malicious exploitation.

We inquired whether Lampkin possessed the technical capabilities, such as server logs, to determine if the API had been previously exploited for unauthorized data access. However, Lampkin declined to answer.

Following our report, the API landing page and its documentation have been removed. The page now only displays the server status of the TeaOnHer API as “healthy.” Initial testing indicates the API now enforces authentication, and previous API calls are no longer functional.

Access to the web addresses containing users’ uploaded identity documents has also been restricted from public view.

Developer of TeaOnHer Dismissed Reports of Security Vulnerabilities

As TeaOnHer lacked an official website when our investigation concluded, TechCrunch attempted to notify the entity regarding identified security shortcomings by contacting the email address specified within the published privacy policy.

However, this communication attempt resulted in a delivery failure, indicating the provided email address was invalid. Further efforts were made to reach developer, Michael Lampkin, through the contact information listed on his company’s website, Newville Media, but these too were unsuccessful, yielding the same error message.

TechCrunch subsequently contacted Lampkin via LinkedIn, requesting a valid email address for the secure transmission of details concerning the discovered security vulnerabilities.

Lampkin responded by providing a generic “support” email address. Prior to disclosing sensitive information, TechCrunch routinely verifies the recipient’s identity to prevent accidental exposure to unauthorized parties.

Therefore, we inquired whether the provided “support” address was appropriate for reporting a security exposure impacting TeaOnHer user data. Lampkin’s reply stated, “You must have us confused with ‘the Tea app’,” and further asserted, “We don’t have a security breach or data leak.” (This claim was demonstrably false.)

He continued by stating that the platform only utilized “some bots” and had not reached a scale necessitating security concerns. (This statement was also inaccurate.)

Having confirmed contact with the responsible individual, despite the initial denial, TechCrunch proceeded to share comprehensive details of the security flaws, including direct links to exposed driver’s licenses and a copy of Lampkin’s personal data as evidence of the severity.

Lampkin acknowledged the information, stating, “Thank you for this information. This is very concerning. We are going to jump on this right now.”

Despite subsequent follow-up attempts, no further communication has been received from Lampkin regarding the reported security issues.

Regardless of company size or development resources, all software creators bear the responsibility of safeguarding user data. Data security is paramount; if private information cannot be adequately protected, the application should not be launched.

Reporting Security Flaws: If you possess information regarding data leaks or exposures within popular applications or services, please reach out securely. Contact this reporter via encrypted Signal message at zackwhittaker.1337.

TechCrunch Feedback: We are committed to continuous improvement. Your insights and feedback are valuable to us. Please complete this survey to share your perspective and potentially win a prize!