Teaonher Data Leak: User Data & Driver's Licenses Exposed

Data Exposure Concerns with the TeaOnHer App

TeaOnHer, a recently launched application intended for men to share details and photos concerning women they’ve dated, has experienced a data breach, exposing sensitive user information. This includes government-issued identification and personal selfies, as confirmed by TechCrunch.

Response to the 'Tea' App and Initial Controversy

The app debuted on the Apple App Store earlier this week as a counterpart to the viral app Tea. Tea allows women to share experiences about the men they date, functioning similarly to “Are we dating the same guy?” style Facebook groups, and is marketed as a women’s safety tool boasting over 6 million users.

However, Tea has faced criticism due to the unverifiable nature of many user-submitted claims.

Previous Security Incidents with Tea

Last week, backlash against Tea intensified following a report by 404 Media detailing how users on 4chan discovered a publicly accessible database linked to the app. This database contained over 72,000 images, including numerous selfies and photo IDs submitted for verification purposes.

A subsequent hacking incident led to the exposure of over 1 million private messages exchanged within the app, prompting the developers to disable the messaging functionality.

TeaOnHer's Security Vulnerabilities

TeaOnHer, currently holding the No. 2 position among Lifestyle apps on iOS, directly mirrors Tea, even replicating language from its App Store description.

However, it exhibits security weaknesses of its own.

TechCrunch identified at least one flaw granting unauthorized access to TeaOnHer user data. This includes usernames, email addresses, and uploaded driver’s licenses and selfies.

These driver’s license images are accessible via public web addresses, allowing anyone with the links to view them.

Data Exposure Details

In one instance, TechCrunch observed a list of TeaOnHer posts accompanied by each user’s email address, display name, and self-reported location.

To prevent exploitation, TechCrunch is withholding specific details regarding these vulnerabilities.

The app’s developers have not responded to inquiries regarding reporting these flaws, leading TechCrunch to publish this report with limited details due to the app’s popularity and associated risks.

Developer Information

TeaOnHer was uploaded to the iOS App Store by Newville Media Corporation. Xavier Lampkin is listed as the founder and CEO of this company on LinkedIn.

TechCrunch discovered at least one TeaOnHer record linked to Lampkin’s personal data.

Impact and User Base

This security lapse potentially affects all users who registered with the app or submitted identification documents.

The vulnerability also reveals the app’s current user base, which stands at approximately 53,000 users.

Additional Security Concerns

A potential second security issue was identified: an email address and plaintext password belonging to Lampkin were exposed on the server.

These credentials appear to provide access to the app’s administrative panel. While TechCrunch refrained from using these credentials due to legal considerations, it underscores the danger of exposing admin access details.

Concerning Content Within the App

Beyond security flaws, the content within TeaOnHer raises concerns.

While the app requests identity verification through IDs and selfies – a process that isn’t automated – users can access a “guest” view without logging in.

Upon accessing the “guest” view, TechCrunch encountered multiple images of the same nude woman posted under different usernames, indicative of spam.

The consent of the woman depicted in these images is unclear.

Other posts share women’s photos and names alongside derogatory comments, including accusations of sexually transmitted infections.

App Ranking

Currently, TeaOnHer is ranked No. 17 overall among all free apps, surpassing popular applications like Instagram, Netflix, Uber, and Spotify. Tea is presently ranked No. 2.