How we found TeaOnHer spilling users’ driver’s licenses in less than 10 minutes

In a startling revelation, the dating app TeaOnHer, which allows men to share information about women they claim to date, has been found to leak personal data of thousands of users online. Designed with the intent of fostering safe sharing of relationship information, the app has significant security vulnerabilities that have raised serious privacy concerns. Reported by TechCrunch, the app has exposed sensitive information, including images of users’ driver’s licenses and other government-issued IDs. This issue highlights the ongoing risks associated with apps that require users to submit sensitive personal information. As age verification laws tighten, the practice of requiring identification for access to adult content raises further security concerns regarding the storage of such data. When TechCrunch initially reported on the security flaws, they took a cautious approach, avoiding detailed descriptions to prevent potential exploitation. However, with TeaOnHer ranking as the second most popular free app on the Apple App Store at the time, the urgency of the situation necessitated action. The process of uncovering the vulnerabilities began with examining the app’s public infrastructure. The investigation led to the discovery of an exposed API connected to the app's backend, which facilitated easy access to users’ sensitive information. Within just 10 minutes, it was possible to locate driver’s licenses due to poorly implemented security measures. Developer Xavier Lampkin did not respond to multiple inquiries regarding the security flaws, nor did he confirm whether affected users would be notified of the breach. The investigation revealed that the API documentation was publicly accessible and lacked necessary authentication measures, allowing anyone to request private user data without any barriers. Data retrieved included users' unique identifiers, profile information, and links to their personal documents stored on publicly accessible Amazon S3 servers. This glaring oversight could have allowed malicious actors to extract vast amounts of data effortlessly. After the issues were reported, the API documentation was removed, and the system now appears to enforce authentication, although the initial lapses pose significant questions about the app's security practices. TechCrunch's attempts to reach Lampkin for further clarification have yielded no responses, raising concerns about the app's commitment to user data protection. The incident serves as a stark reminder that developers, regardless of their scale, hold a crucial responsibility to safeguard user data. As the digital landscape continues to evolve, ensuring security and privacy must remain a priority for all app creators.