Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
This is what happens when you decide to vibecode a service with zero attention to safety or web development. This is why you don’t immediately jump onto a new service without it being vetted properly. Now one of the worst communities on the Internet is in possession of over a hundred thousand women’s driving licenses and faces. This is going to be an absolute disaster.
This is ALSO why no service should ever require or get my driver’s license information. Fuck that. Also, yet another Constance to those who can’t afford a car or want to improve the environment by living car free.
My only exception to that are uber drivers. But then again we live in an age where somehow better help has become popular, even though they sell your data.
Now now, I like to shit on vibecoders too but let’s not pretend this is some new problem.
Idiots leave databases on cloud servers exposed all the time rather than deal with their companies often arcane rules for generating certificates
How is something “vetted properly” and how do I find out about that?
You wait a while until something like this happens.
I honestly don’t understand what op is talking about.
Leaks happen all the time, even in billion dollar companies.
Their comment is the equivalent like, “This is why you should lock your doors!” Like uh okay.
This situation would have been easily preventable with basic understanding of what they’re doing is what OP is saying. This leak is not something highly complex, it is painfully stupid on the side of the developers.
There’s a difference between a hack, where data is exposed, compared to data exposure due to negligence or ignorance on the development side.
This was more like leaving all your valuables in a cardboard box on your front lawn. Anyone can just take it, if they care to look inside the complete unsecured box.
Someone just drove up and tossed the box in their truck. No lock involved.
I love how people just jump on whatever they like, instead of actually thinking about the stuff they read/comment on/upvote. Exactly like on Reddit, no difference.
How strange that a site designed exactly like reddit behaves like reddit.
The thing is that many here think they are better, they look down on Reddit. There is a certain shift in what demographic switched over but generally it is the same.
I thought they were looking down on the owners of reddit, not the user base.
“Vibe coded” you just made that up didn’t you, because you don’t like llms. I don’t see anything in the article about “Ai” and this service has been operating for 2 years.
My thoughts as well. But hey, it’s lemmy! Just accuse someone of doing something we hate, good to go!
Not sure if this is ironic that the users are now less safe after using the safety app. But I still feel bad for the users. Dating is hard enough without the fear of being harmed.
I would not under any circumstances give my drivers license to a for profit app. I don’t even like to give my email.
apparently there’s some law in the UK that mandates it now 🙄
Well UK, have the day you voted for I guess
Unfortunately this is the better of the two main parties. This isn’t republicans winning because dems didn’t vote. Labour won, and this still went through. The UK government as a whole has been on an anti porn brigade for decades. I can’t wait for the day labour and the Tories just die off.
Thank fuck for VPNs, although it now wants to show me hot milfs in Brussels.
Something something Vegemite sandwich
The replies in this thread are disturbing, giving me a sense that Lemmy has a misogyny problem; maybe I was naïve, but I expected outrage about 4chan doxxing women trying to protect one another, instead I see lots of revenge enjoyment as if being doxxed on 4chan is justice for … <checks notes> warning one another about dangerous men they encounter when dating?
The inability to empathize and take seriously the threats posed to women or to understand their motivation to protect one another is alarming.
There is no good faith extended, but also no evidence presented that instead of safety the app was just for gossip, it’s just taken as assumed that women are wrong for using Tea and they all deserve to be doxxed.
Your comment was on top for me in my app, so I was like “oh how bad could it be.”. Holy shit you’re not wrong, there’s some disgusting comments that are getting voted up.
I’m low-key disappointed and appalled by these community members who believe these women “deserve” it for … Trying to help each other be safer?
saw this happening here, saw it happening in reddit threads on the topic, saw it all over the media cycle in the comments.
i agree, people’s visceral backlash against this app is steeped in a deep misogyny. most of these comments have a vapid absence of any sort of even basic recognition towards these women as people. talking about them like they’re abstract figures or test subjects up in here.
watching people take somewhat valid privacy concerns as an excuse to let loose their most toxic feelings towards women used to be the sort of thing only losers or emboldened megalomaniacs did in public, even just a decade ago.
in the past years i’ve just seen all my peers, regardless of political affiliation, manipulated into a cult of outrage that serves as another hamster wheel upon which capital may spin.
imtiredboss.png
Well lets be honest if someone made a gender inverse version ofctea many people would b concerned about what is being shared on the app. Honestly i find tesla disturbing and the 4 chan doxing dangerous. Both sides can be bad.
sorry, are men concerned for their safety dating women such that a gender inverted version of this app makes sense? Your ignorance is what I’m talking about here …
Those already exist. 4chan (yes, they even kind of invented cancel culture with going after “whores” in the late 2000’s), kiwifarms, various manosphere forums, Andrew Tate’s Discord server, etc.
The Tea app is agnostic. While its purpose and main use case was made for the safety of women in the dating scene, it was inevitably used to spread exaggerated or misleading information about otherwise innocent men. Imagine being a privacy-conscious individual, and breaking up with a toxic woman. She could go on to spread lies about you and even upload pictures of you to the reverse image search/ai. So even if you were doing everything right from a privacy standpoint, you’d still end up in someone’s private database, subjected to ai training, shared with the government, or who knows what. While I do see the purpose of apps like these, they can effectively take away someone’s privacy/dignity without them even knowing about it. Now imagine being a 4channer, someone probably even more privacy-conscious than lemmings, and possibly experiencing mental disorders like paranoid schizophrenia or autism; of course they’re drawn to hacking an app that would destroy their privacy. They are not sane individuals, so this event really was inevitable.
It isn’t the women who are wrong; it’s the app developer and 4chan. But setting aside the data breach, creating a Yelp for dating is a ticking time bomb. They were going to get sued out the ass, data breach or no data breach. I don’t know how many times this needs to happen, but I guess web developers have the memory of goldfish. There have been several attempts at something similar that got shut down for the obvious reasons. Making a website that rates human beings is always going to be a legal minefield.
I think you are misunderstanding why people are upset.
It’s horrible that these women were doxxed.
It’s also horrible that a subset of women were doxxing men, which is what brought this negative attention to the site.
Misogyny is real in our society, misandry is real.
Saying things happen for sexist reasons when it was for a logical reason does a disservice to movements that seek equality.
The internet also cheered on the 4chan PII leak that happened recently, not becauase it’s a male dominant space, but because they do shitty things like dox people.
“gossip” is for safety. It’s often information that men don’t want shared so it’s painted like it’s bad. Claiming women shouldn’t gossip is just more misogyny.
There is some of that happening, like when women get together and discuss how they’re being treated it’s “gossip” and implied as immoral.
I think some men might read what you’ve said and think you are denying any toxic gossip exists, it’s important to have nuance and not alienate men who otherwise would be allies, but I think overall your point is well taken.
Say a woman breaks up with a man for petty reasons, like the guy switching the channel on TV, or even the other way around.
And she decides to make up reprehensible shit about him on that app.
He essentialy becomes undatable, and he does not know why.
I’m not sure what that has to do with the comment above yours, but you’re comparing men becoming “essentialy undatable” to women being raped. Perhaps unknowingly.
Lemmy is full of people with a lot of technical knowledge, who look down on anyone without it. Just look at their responses to someone complaining and an issue on Windows, it’s just a hundred people telling you what Linux distro they use.
It’s not so much mysogyny, they just can’t pass up the opportunity to be smug about something.
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let’s say the subnet was 192.168.2.0/24.
Weird things were happening, I was being lazy and wasn’t directly connected to the network, may have setup a VPN between devices somewhere; can’t really remember. But pings would sometimes drop or blow out to 100’s ms.
I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn’t have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.
Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I’m from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.
It was an interesting day.
My friend came over and told me a story about this crazy date she was on. The guy love bombs her, sets her up with a massage, then in the morning, goes out and eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs.
I shared that with my discord group and someone said they know that guy too.
Im assuming that’s what Tea is for.
You yadda yadda yadda’ed over the best part.
No, I mentioned the bisque.
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
EDIT: Also, lol, this arguably is not even largely a hack.
These idiots just had everything stored in a fucking publically accesible firebase bucket… amazing.
They didn’t delete anything they claimed to.
Either way you look at it, anywhere on the spectrum from:
A ] A bunch of women reasonably concerned for their safety
B ] A bunch of gossip mongers
… well, they’ve now all been doxxed.
What a fucking disaster.
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
At which step should it turn illegal? You accessing publicly available website? How exactly are you to know if it is supposed to be public or not, if there is not even an attempt at security?
The thing is we don’t need to come up with some absolute definition of what should and shouldn’t be illegal to talk about this case specifically. They didn’t accidentally stumble on this. They doxxed the users instead of responsibly disclosing the problem. This is extremely cut and dry.
If the story here was “I mistyped something and got to a page I shouldn’t have access to, I disclosed it to the company, didn’t dox anyone by sharing the problem, and now the FBI is after me” it would be different.
This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified
Never upload PII to social media
Your privacy is not legally protected.
One would have hoped the lesson here would be about the dangers of commoditfiying everything as a fucking “app”, but no, it looks like its not the increadably irresponsible company at fault (as is tradition).
Hungry data privacy lawyers when they learned about Tea this week:
Maybe I’m just getting old, but the idea of “verifying” my real identity to a faceless website or mobile app is abhorrent.
I guess it doesn’t help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.
Can’t help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.
At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.
Nope. That’s the app. “Anonymous” sharing of pictures and info of other people. Presumably without their permission. That’s fucked up.
Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.
On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven’t done anything wrong - just the whole concept feels very gross.
I think it depends on people’s intent and purpose for using this service. I’m overall not a fan of someone taking and sharing pictures of me without my consent, or making claims that can’t be defended…
The group of women legitimately using it for safety is fine, in a general sense.
The group of women using it as gossip and entertainment is not.
It makes sense using it for safety, but I would worry about whether all the information on there is accurate. Most of the feedback on the app is probably negative, I doubt anyone would really post anything on Tea that’s positive about their former partner. But people like to believe they are in the right. Someone who got in a fight with their partner might post something on Tea that isn’t accurate, but makes them feel better since they can spin the story how they want, and make the other person at fault. However, unlike regular social media, the person being attacked by their partner on Tea has no idea that it happened, and no way to refute what was said. It promotes the opposite of any type of communication between partners after a fight or breakup. It promotes safety, but at the same time it promotes some toxicity in relationships. What would you think if you knew that if your got into a disagreement with your partner that you could end up posted on this app, without any way of arguing back?
I had been under the impression that 4chan had also basically died due to their own site getting hacked
That which has no life can never truly die (or something)
the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it’s back to business as usual
