Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let’s say the subnet was 192.168.2.0/24.
Weird things were happening, I was being lazy and wasn’t directly connected to the network, may have setup a VPN between devices somewhere; can’t really remember. But pings would sometimes drop or blow out to 100’s ms.
I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn’t have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.
Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I’m from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.
It was an interesting day.