- cross-posted to:
- technology@beehaw.org
On the one hand, sucks that a leak like this even happens anymore, no one deserves to be doxxed like that. On the other hand, I struggle to feel bad for the users of the doxxing app getting doxxed in return…
I never thought there would be a dating intel war going on and this the second time too.
Sir, a second plane.meme
This is why age verification is dangerous. If a company can just forget to delete you ID picture, it will happen…
Don’t want your information on the internet? don’t upload it to anyone on or over the internet, it really is a fucking simple concept.
Posted on an article about an app encouraging different users to upload info about you without your consent. Yes, really simple.
And live in a cave! 😬
It would be nice if also they secured data too.
don’t upload it to the internet!
or use a smart phone
or corporate searches that track you
or go to any website with ads - they track you
hell don’t even search the internet! your ISP tracks dns requests
or use a modern tv that tracks what is on your screen
or you can do custom phone from - just unlock the bootloader, root it, and install! then just setup pihole/adguard/self-host everything
it’s simple, for privacy just go live in a yurt in the woods to not be tracked 24/7
Fucking simple concept which major businesses are economically compelled to gaslight you out of.
So the problem is in economics.
Each such business provides all of their infrastructure, expensive, good and well-maintained (Google has its own Internet cables), which is not separated from their application services.
So one provider of infrastructure (in the wide sense, solving all the problems) usually serves many users of their own application and many application providers (I’m inventing terms) without their own infrastructure.
While user of an application generally can’t switch infrastructure providers as they want. It’s kinda technically fine and normal (there are NTP server pools, one could in the olden days search many FTP servers for the needed file, and so on), but doesn’t happen IRL. Because there’s no standard way for pooling resources and tracking them, and there’s no applications using it.
So - the data model (cryptographic global person identities, globally identified by some derived hash posts (a post is, say, datetime, author, some tags, content, hash of it all, signatures, I dunno) (creation of a group or a vote or a changing of privileges or moderation can be a post too), for forming a representation for the user a group is “replayed” in the right order to know which user had a privilege to, say, moderate posts etc ; one can also generate group snapshots from time to time when replaying thus, by the group owner identity, to make it faster) is orthogonal to the service model. That’s important so that it were fit for alternative service models, like sneakernet or offline-enabled mesh or anything delay-tolerant. Or at least a p2p kademlia DHT-based service model.
The service model - the core of it all is a tracker service. It works like a tracker in BitTorrent (or maybe Hotline, but that’s old), except with signed announces, and it tracks search and storage and relay and maybe even computation services (which announce themselves to it). A search service gets storage services from trackers and indexes their contents (one can even announce objects to a search service similarly to trackers, might be better) to search by tags. A storage service just stores objects and yields them. A relay service must be harder, you the user must somehow announce (to trackers too?) which relay service you are registered on at this moment, a bit like SIP or like SMTP (only very temporary), so that messages to that relay service would reach you.
The client would just request a bunch of trackers for all things they need - to search for stuff for services, then request these services and merge their results. Forming a group representation is “searching for stuff” too, and then getting the objects referenced by index service responses from a bunch of storage services. To notify another user that you’ve sent them a message one can use a relay service.
I think it’s easy to see that it’s kinda primitive other than requiring proper cryptography. And it’s a global system working over the Internet (except no, it doesn’t exist). Similar to NOSTR, but I think better due to separation of data model and service model.
The advantages of this - one still can make any kinds of applications using such common infrastructure, but the resource-based feudalism we have this might hurt. Similar to how BitTorrent keeps working despite quite a few people not liking it.
The disadvantages - well, stuff will get lost, there are paid BT trackers but no paid BT peers, while in such a system paid storage and other services would be a thing (still much better than Facebook).
its like the ashley madison drama, which exposed cheating.
I was today years old when I learned that Ashley Madison is still in operation
There’s money in extortion, who knew!
Everyone is talking about the poor security practices, which is fair. Or they are talking about the appropriateness of such an app existing, which is also fair.
But the immediate take away should be, especially in today’s political environment, that we cannot and should not trust sensitive data that leaves our device, particularly if you are of any kind of non privileged group.
This has been the case for a long time, so suddenly you have apps like Tea that encourage you to upload info of other people. So now even the few that take care not to upload their info can be nicely monitored. And the Gestapo does not even need to pay their informants for it.
the entire UK government disliked this comment
The UK government can shove it up their fucking arse.
Sincerely, A UK citizen.
And here’s your daily reminder that the OSA was introduced, championed and passed by the Tories in 2023 despite outcry. Sunak even said at the time it was a problem for the “next Parliament” to deal with. Now they’re trying to blame Labour.
And also men are vicious trash goblins.
You’re not adding much to the “this app is appropriate” argument.
Well the point of the app was to identify the small percentage of men who do most raoe Nd stuff, and even if the law wouldnt stop them, help potential victims avoid them, so as to not have to be guarded around every man one meets like hes a potential vicious rape monster, because some just are.
Im saying all men are garbage, and the fundamental oremise that you can under any conditions act like any number of men are human is foolish and likely to get you hurt. Which i think this situation show.
I don’t think anyone questions the “point” of the app. But the devil, as they say, is in the details.
Yeah. That all men are trash; avoiding the bad ones just leaves you with fred rogers and probably a second one at some point idk.
This sounds like victim-blaming. This website didn’t even secure their database with a password. Come on. I’m sure their privacy policy gave the standard promises about storing their private data in a secure way, which they did not do.
Encouraging people to be safe and care about their privacy on the internet is not victim blaming.
I’m sure their privacy policy gave the standard promises about storing their private data in a secure way, which _they did not do. _
This is what people want to warn others of. The developers of Tea are hardly the only offenders. Definitely not an example of victim blaming.
I’m sure their privacy policy gave the standard promises about storing their private data in a secure way, which they did not do.
Their ToS can be found here. Section G of their Limitation of Liability tries to shield them from liability against data breaches. But if they were criminally negligent, the ToS won’t protect them. The Data Protection section basically just says “check our Privacy Policy for info on what we collect”, which is pretty standard fare for a ToS.
The Security section of their Privacy Policy is also extremely boilerplate. Here’s the entire thing:
Security of Your Personal Information
The security of your Personal Information is important to us. When you enter sensitive information (such as credit card number) on our Services, we encrypt that information using secure socket layer technology (SSL).Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware, however, that despite our efforts, no security measures are impenetrable.If you use a password on the Services, you are responsible for keeping it confidential. Do not share it with any other person. If you believe your password has been misused, please notify us immediately.This one particular sentence may end up burning them though:
Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction.
I think most people (and the courts) would agree that putting a password on your database is a reasonable security measure that would be expected per this Privacy Policy. Especially since their next sentence goes on to elucidate that users should keep their passwords confidential.
In the current environment, at-risk people (women, immigrants, etc) who might have “at-risk” activities (abortion, immigration, etc) don’t have the luxury of relying on a privacy policy. I am not blaming them, I am simply stating how it must be if they are to avoid adverse actions.
This particular instance involved poorly secured data; what happens when warrantless demands are made by the government?
The Tea debacle proves that sensitive data cannot be trusted once out of your hands.
I agree. The reality is that nobody should be trusting these platforms with such sensitive data. As demonstrated, there is so much that can go wrong when you trust these companies. This is a LOT of risk for very little reward.
Whatever you put online you should think “what if this were made public and attributed to me” before you post it.
The company should be sued into the ground. This is horrendous
I mean, it’s on brand. The doxxing app is successfully doxxing people…
In any other engineering discipline this would he negligence.
At least some of the negligence is on Google, for the atrocious default security settings in Firebase
The vulnerability is called hospital gown because they leave the back end wide open by design. It’s not even a traditional vulnerability, since it’s technically working as intended
In fairness if you leave Firebase in its default settings it won’t shut up about it.
You get warnings on the website, and constant emails telling you that you’re being a pillocked.
It is negligence, but information workers have very little regulation when it comes to handling personal data (outside of specific fields, like healthcare and finance).
I say this as an information worker who handles a lot of personal data. Worst case scenario, I get fired and can’t use them as a reference. Unless I’m intentionally stealing data and using it for crimes there’s no risk of criminal penalties.
We needed privacy laws 20 years ago but the tech bros assured everyone that it would be fine and for a long time they were mostly responsible with our data. But now we’re well into the enshittification of the Internet and the lack of regulation is allowing these kinds of harms to become common.
Though, in a sane regulatory framework Tea wouldn’t be allowed to exist in the first place. The entire point of the site is to doxx people and share personal details about them without their consent.
Both the company, for failing to protect its users; and a large majority of its users, for doxxing and libel.
Its unfortunate that it happened this way, but now the people who are being libeled against and doxxed have the ability to find out about it where they didn’t before.
I’m not going to hold it against women for having a private group to tell on predatory dudes when this existed and nobody ever faced any consequences. What We Learned About the 70K-Person Telegram Channel on How to Rape Women
This is some Grade-A whataboutism right here.
Of COURSE the people in that group chat deserve punishment, and probably the same 20 years that French(?) guy got depending on who all did what.
Just because that happened though doesn’t excuse that this happened. The company did a horrendous thing by holding onto highly sensitive and private data it said it should have deleted and then failed to secure it in any way, AND the userbase was absolutely vile and abusive towards men.
All three things need to see justice brought to them, and you should not excuse one just because another happened and wasn’t dealt with properly.
Arguing that tea was for “telling on predatory dudes” is like saying backdooring encryption is to catch people spreading CP.
That’s what the creator of the site said it was for.
The Uk said the OSA is to protect children. But people lie.
Would you believe me if I told you some systems are used for other things than what’s intended?
Sure, if you have evidence. What do you think it was really being used for? And what’s your evidence?
No need for evidence. The idea of anyone being able to claim anything about a person without proof is inherently flawed. Are you saying that the app has some magical feature which forces everyone to tell the truth? No disgruntled ex can make up things about their previous partner? I would love to see you prove that.
Yeah, and the US Marshall’s service said Operation Flagship was just a football sweepstakes.
And that’s what the people seeking to ban encryption claim it to be for, as well. Doesn’t make it true.
What is the truth, then?
That this app was set up for libel and doxxing, and would be abhorrent if the demographics were switched at all.
You know the “pro features” included address and phone number? Never mind the unaccountable reviews the reviewed can’t even see making targeted harassment campaigns easier, posting “address and phone number” is “bad.”
Just another story where victims go on to become absuers it seems.
Nah they were abusers all along
You get 89 cents in the settlement. Do you prefer to get a direct deposit or a check?
Nah, they just go bankrupt.
1 week free access to the service that did it in the first place is my favorite class action outcome.
Nah, just stop using it. Sueing does nothing, it just benefits lawyers and not any of us.
It sucks for those people, but everyone should expect anything they say online to be possibly tied back to them. Secrets and identification information don’t mix. Especially online. The good news is that there is no evidence any of it is real, anyone can lie on the site saying whatever they want, so if doxed someone can just say they were bored and wanted to fit in and see what others were discussing or such. Hopefully for them it doesn’t turn into people getting hurt for talking behind someone’s back like it often does offline.
fuck off with that complacency
there’s so much underlying rules for private communication between computer systems, this type of thing is pure neglect boardering on international.
there’s no reason to think everything online should be open and available. we should all be allowed to be in private spaces, especially if it’s advertised as a private space
There are no private spaces online, your privacy is at the whim of whoever owns the servers and whatever government controls them.
Unless you’re using end to end encrypted communication with people you know and trust you should assume that everything you do online has your actual name and face attached to it.
I do agree that it sucks.
There should be laws, with criminal consequences, that protect our privacy but essentially every government is of the opinion that actual privacy should never exist online because they think it’s better to sacrifice everyone’s privacy than to let a single criminal go undetected.
This is why you see all Western governments simultaneously running “think of the children” campaigns as they slowly manuver the Internet into requiring every device be identifiable and linked to a person.
This is why the end-to-end encrypted communication providers are also being pressured right now. Because with systems built using encryption to enforce the rules are actually private.
Governments know this, as they heavily rely on encrypted communication systems. They just don’t want anybody else to have that privilege.
There are no private spaces online,
your privacy is at the whim of whoever owns the servers
Which is it? It logically cant be both. I own at least a dozen servers.
There are no private spaces online, because your privacy is only protected by the people who own the servers. Your data isn’t private to them, nor any governments who can compell them.
You cannot trust that any data you put on services, that you’re not completely in control of, is going to remain private.
There are countless examples of services selling your data, hackets getting access to your data or governments compelling a service provider to produce your data on demand.
The exception to that are services where you can enforce your privacy through well implemented encryption.
For exsmple, I don’t need to trust a cloud storage provider that is storing my data because it’s encrypted on my machine using keys that only I control prior to being stored. My privacy doesn’t require me to trust that Google will protect my data from insiders, hackers or hostile governments because they don’t have the ability to produce it. My privacy is protected by the laws of mathematics regardless of how compromised the service provider is.
Yes, I know all that. I spent 25 years in tech, which is why I also know how to run secure services online. Hence my comment above.
People complaining here that security was to lax, people complaining in the next thread that the libre dev is the victim because security was to high.
Is it possible to get both balanced, yes. But it will never make everyone happy.
If you’re out of the loop, I found this article fairly helpful for a primer on the issues. It’s CNN, but I can’t be arsed to find a more kosher source.
https://www.cnn.com/2025/07/25/us/tea-app-dating-privacy-cec
404media did a great piece about what happened. available as podcast too. https://www.404media.co/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating/
Requires account
This is why you don’t vibe code a webservice
This wasn’t vibe coding, it’s incompetant devops.
You have to go out of your way to make these buckets public like this. Several giant “Everyone will have access to this” warnings, re-authentication, a permanent warning symbol on the dashboard AND regular e-mails reminding you that you have a public bucket. I don’t even think you can do this via the API, it requires a human to manually make this setting.
I’m guessing that they couldn’t figure out how to configure the Access Control Lists and just made it public so that it would work. That’s fine in a test environment, without any user data but it’s pure incompetence to have a production system setup this way.
If I were in the security team of that company, I would never accept ACLs on the bucket as a sufficient compensating control for this risk. Here the
bestmost reasonable would be encryption, which would make the bucket being public relatively unimportant.When you are collecting so sensitive data (potentially including personal data of people not using your service), you simply can’t even imagine doing that by storing the data unencrypted.
Edit: grammar
I’d say it’s not fine in a test environment, because then your test env S3 bucket is publicly available.
Yeah I could see it being left like this for an hour or so while someone finds out what the actual security configurations are supposed to be, during which time it wouldn’t have any data in it. But to leave it like this for any period of time is ridiculous and to release it like this is criminal.
I’m sorry, no - this is something you just simply don’t so.
Source: most of my career
It’s not great, but it’s an acceptable kludge if you’re the one holding everyone back and you can’t figure out the problem immediately. Set it to public, let the devs get to work and research the problem until you find a real solution.
The test environment data should be generic so if someone were to discover the bucket they’ll get some pictures of cats and a bunch of people who live at 12345 anywhere street.
What? No, this is a horrible practice.
If you can’t figure out how to set identity-based ACLs you shouldn’t be working in technology! Oh I’ll just set this shit to any/any and figure out later. FUCK ANYONE WHO DOES THIS IN THEIR LEFT EAR.
It’s a bad idea to leave your S3 perms wide open, because then anyone can use your S3 bucket for whatever reason they want, and it’ll hit your wallet. And if they can’t figure out basic IAM and ACLs, I’m also betting they can’t figure out “requester pays”
I don’t even think you can do this via the API
Someone never heard of terraform & similar configuration management software? They enable configuration as code, which can be vibe coded. Practically anything online can be configured via API, especially cloud services.
I’m pretty certain you would still get the constant emails though. I don’t think there’s a way to turn those off other than to secure the bucket.
Anyway I still maintain that an AI wouldn’t have made this mistake so the fact the mistake was made kind of implies that it wasn’t vibe coded.
Even an AI wouldn’t do something this stupid.
Every piece of information it its data set about Firebase would have told it to secure the database.
They hired an investigator? Any investigator worth a shit is gonna say that they’re liable for failing to secure private data they collected,
as well as for retaining data they were apparently legally obligated to deleteEdit: Misread that segment, they actually presented it as if they were deleted to users, but apparently retained them to comply with vague “law enforcement requirements.”
“Sir, we’ve already been breached once!”
“But what about second breach?”
Now there are two of them. A second breach has hit the app.
At least they’re honest, they did spill tea.
A whole lot of tea.
Did they use Tea app to spill tea about the shitty security practices of Tea app? Do they spill tea there about the app’s founder, Sean Cook, and frivolous claims of a safe space that preserves anonymity?
The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification.
This sounds irresistible for angry misogynists. The only thing that surprises me about this is that it didn’t happen earlier.
The only thing that surprises me about this is that it didn’t happen earlier.
I’m way out of the dating game at this point, and also a man, so it’s very likely that I’m just out of the loop
But I hadn’t heard anything about this app until a couple weeks ago when I saw an article or two about it
Then about a week later this happened
So I kind of feel like maybe most of the assholes who did this were similarly unaware of it until it got some exposure and then it was on their radar.
I would certainly imagine that most women using this app probably weren’t telling the angry misogynists in their lives about this app.
Warning I’m going off memory and I’m too lazy to check this.
One of the articles on the first data leek mentioned it became big on the google play store shortly before the leek. It probably just wasn’t around long enough for you to notice it.
The article linked above asserts that it was a “legacy portion” of the database that got leaked, and that all the leaked data is from February 2024 and earlier. So this vulnerability apparently existed for at least 18 months. The timing of the leak coincides with a spike in popularity which brought wider attention down on it, and finally someone without the desire to implicitly trust it gave it a look.
Which says to me that in the few years this app has existed, it was never scrutinized, not by anyone on the dev side and not by anyone on the user side. That’s fascinating to me.
deleted by creator
Ostensibly, a noble goal. Practice is a bit more fuzzy.
Also: nothing is ever new