Male-Oriented App 'TeaOnHer' Also Had Security Flaws That Could Leak Men's Driver's License Photos (techcrunch.com)
(Monday August 18, 2025 @03:34AM (EditorDavid)
from the Tea-for-two dept.)
- Reference: 0178718476
- News link: https://it.slashdot.org/story/25/08/18/0550252/male-oriented-app-teaonher-also-had-security-flaws-that-could-leak-mens-drivers-license-photos
- Source link: https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/
The women-only dating-advice app Tea "has been hit with 10 potential class action lawsuits in federal and state court," [1]NBC News reported last week , "after a [2]data breach led to the leak of thousands of selfies, ID photos and private conversations online."
> The suits could result in Tea having to pay tens of millions of dollars in damages to the plaintiffs, which could be catastrophic for the company, an expert told NBC News... One of the suits lists the right-wing online discussion board 4chan and the social platform X as defendants, alleging that they allowed bad actors to spread users' personal information.
But meanwhile, a new competing app for men called "TeaOnHer" has already been launched. And it was also found to have enormous security flaws, [3]reports TechCrunch , that " [4]exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents..."
> [W]hen we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, appserver.teaonher.com. When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, [5]we uploaded a copy here )... It was on this landing page that we found the exposed email address and plaintext password (which [6]wasn't that far off from "password" ) for [TeaOnHer developer Xavier] Lampkin's account to access the TeaOnHer "admin panel"... This API landing page included [7]an endpoint called /docs , which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API [including administrator commands to return user data]...
>
> While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed...
>
> The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions...
>
> The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as "healthy."
The flaws were discovered while TeaOnHer was the #2 free app in the Apple App Store, the article points out. And while these flaws "appear to be resolved," the article notes a larger issue. "Shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites,"
And TeaOnHer also had another authentication issue. A female reporter at Cosmopolitan also [8]noted Friday that TeaOnHer "lets you browse through profiles before your verifications are complete. So literally anyone (like myself) can read reviews..."
[1] https://www.nbcnews.com/tech/social-media/10-women-sued-tea-app-photos-hacked-leaked-online-rcna222880
[2] https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139
[3] https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/
[4] https://techcrunch.com/2025/08/06/a-rival-tea-app-for-men-is-leaking-its-users-personal-data-and-drivers-licenses/
[5] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/
[6] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/#document/p1/a2666767
[7] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/#document/p1/a2666752
[8] https://www.cosmopolitan.com/relationships/a65669170/tea-app-2025/
> The suits could result in Tea having to pay tens of millions of dollars in damages to the plaintiffs, which could be catastrophic for the company, an expert told NBC News... One of the suits lists the right-wing online discussion board 4chan and the social platform X as defendants, alleging that they allowed bad actors to spread users' personal information.
But meanwhile, a new competing app for men called "TeaOnHer" has already been launched. And it was also found to have enormous security flaws, [3]reports TechCrunch , that " [4]exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents..."
> [W]hen we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, appserver.teaonher.com. When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, [5]we uploaded a copy here )... It was on this landing page that we found the exposed email address and plaintext password (which [6]wasn't that far off from "password" ) for [TeaOnHer developer Xavier] Lampkin's account to access the TeaOnHer "admin panel"... This API landing page included [7]an endpoint called /docs , which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API [including administrator commands to return user data]...
>
> While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed...
>
> The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions...
>
> The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as "healthy."
The flaws were discovered while TeaOnHer was the #2 free app in the Apple App Store, the article points out. And while these flaws "appear to be resolved," the article notes a larger issue. "Shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites,"
And TeaOnHer also had another authentication issue. A female reporter at Cosmopolitan also [8]noted Friday that TeaOnHer "lets you browse through profiles before your verifications are complete. So literally anyone (like myself) can read reviews..."
[1] https://www.nbcnews.com/tech/social-media/10-women-sued-tea-app-photos-hacked-leaked-online-rcna222880
[2] https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139
[3] https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/
[4] https://techcrunch.com/2025/08/06/a-rival-tea-app-for-men-is-leaking-its-users-personal-data-and-drivers-licenses/
[5] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/
[6] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/#document/p1/a2666767
[7] https://www.documentcloud.org/documents/26048764-teaonher-api-backend-page/#document/p1/a2666752
[8] https://www.cosmopolitan.com/relationships/a65669170/tea-app-2025/
If you want to be an asshole, then.. (Score:2)
by phantomfive ( 622387 )
...Then asshole things will happen to you.
The people who make apps treating others badly don't care if their customers get treated badly. Corporate culture tends to treat customers not great, but these kind of people do it on a speedrun.
Re: (Score:2)
by Shaitan ( 22585 )
"people who make apps treating others badly"
That is a fair cut at both the apps. The sour grapes in the Cosmo article over the male counterpart is hilarious though.
Re: (Score:2)
by phantomfive ( 622387 )
Summary of the [1]Cosmo article [cosmopolitan.com]:
> "Women created the Tea app for safety and males created TeaOnHer to talk shit...Naming and shaming key offenders arms women with the information they need to protect themselves...We made an app to protect ourselves, and they made one to violate us."
I offer no judgement as to whether the app named [2]"Tea" [urbandictionary.com] was designed for gossip.
[1] https://www.cosmopolitan.com/relationships/a65669170/tea-app-2025/
[2] https://www.urbandictionary.com/define.php?term=tea
TeaOnHer was a much simpler app to make (Score:2)
by 93 Escort Wagon ( 326346 )
In fact, its rating system only includes a single question:
1) Does she put out on the first date?
What a shit show (Score:2)
by zawarski ( 1381571 )
Dating has become. Glad I don't need to navigate this hellscape.
TeaOnHER??? (Score:2)
Really, TeaOn Her , excluding gay guys? Where's the progress? I demand an AI coded gossip site for everyone, about everyone! One with a monopoly on gossip that's the result of capitalist ravenings, run by an egomaniacal psychopath as it expands into vague super conglomerate who's only reason not leak all my info is that they can charge for it if they don't; now that's progress!