To apply what is going on about beans leakage on those who claim to date it, it is irony that Teoonher was pouring the personal information of thousands of its users on the open Internet.
Teoonher is designed for men to exchange images and information about women who make it back. But a lot Tea, dating Gossip app for women She was trying to repeat, Teooonher had holes in its security that revealed its personal user information, including pictures of their driver’s licenses and other identity documents issued by the government, such as Techcrunch mentioned Last week.
These similar applications have been created by the virtual gates to allow users to share information about their relationships under the guarantee of personal safety. However, the disadvantages of coding and bad security highlight the risks of the ongoing privacy inherent in the demand of users to provide sensitive information to use applications and websites.
Such risks will only get worse. Famous applications and web services that must actually Compliance with the laws of determining age That requires people Send their identity documents Before giving them access to the content that carries the subject of adults, despite the risks of privacy and security associated with storing databases from individuals’ personal information.
When Techcrunch published our story last week, we did not publish specific details about the mistakes we discovered in Teoonher, as she made a mistake on the side of caution so as not to help bad actors use the error. instead of, We decided to publish a limited disclosureDue to the high popularity of the application and the instant risks faced by users when using the application.
As of the time of disclosure, Teoonher was second in free application charts in the Apple App Store, a position that the application still maintains today.
The defects we have found appear to be a solution. To share Techcrunch, how we have been able to find user driving licenses within 10 minutes to send a link to the application in the application store, thanks to the easy to find defects in the background system facing the audience in the application, or the application programming interface.
The developer of the application, Xavier Lampkin, did not respond to multiple requests to comment after we have provided details of security defects, and Lampkin will not adhere to notifying the affected Teooonher users or state organizers by security difference.
We also asked Lampkin if any security reviews had been conducted before the launch, but we didn’t get a response. (We have more on disclosure later.)
Well, start the hour.
Open “official” accreditation data
Before we download the application, we first wanted to know where Teoonher was hosted on the Internet by looking at the infrastructure facing the public, such as its website and anything hosted in its field.
This is usually a good place to start as it helps to understand other services that are associated with the internet.
To find the name of the field, we looked first (by chance) in App list on Apple App Store To find the application site. This can be found usually in its privacy policy, which the applications should include before listed Apple. (The application list also claims that the developer “does not collect any data from this application”, which is clearly incorrect, so take that as you do.)
The TEONHER privacy policy was in the form of the published Google document, which included an email address with a teaonher.com The field, but there is no website.
The website was not public at the time, so with no website download, we looked at the DNS records facing the general range, which can help determine what is hosted on the field, such as the type of email servers or web hosting. We also wanted to search for any general sub -ranges that the developer may use to host the jobs for the application (or hosting other resources Maybe it should not be general), Such as supervisor information, databases, or other web services.
But when we looked at the general internet records in Teoonher, she had no useful information other than one sub -range, appserver.teaonher.com.
When we opened this page in our browser, what was uploaded is the intended page for the TEONHER applications interface (for curiosity, We downloaded a copy here). The applications interface simply allows things on the Internet to communicate with each other, such as linking the application to its central database.
On this intended page, we found the open email address and the normal text password (which This was not far from the “password”) To get a Lampkin account to access the Teooonher “Supervisor Panel”.
The API page showed that the official panel, used in the document verification and user management system, was present in “Localhost”, which simply indicates the actual computer that occupies the server and may not be accessible directly from the Internet. It is not clear whether anyone can use accreditation data to access the official’s board, but this was in itself a sufficient discovery.
At this stage, we were just about two minutes away.
Otherwise, the intended API page did not do much except to provide some indicators on what the application programming interface can do. The page included many API’s end points, which the application needs to be accessed for work, such as the user’s records recovery from the Teonher database, for users to leave reviews, and send notifications.
Knowing these end points, it may be easier to interact with the application programming interface directly, as if we were imitating the application itself. Each different application programming interface, so learn how to make the application programming interface and how to communicate with one can take time to find out, such as the end points that must be used and the parameters needed to speak effectively. Applications like postman can be useful to access application programming facades and interact directly with application programming facades, but this requires a certain time and degree of experience and error (and patience) to make applications programming facades spit data when they should not.
But in this case, there was an easier way.
The API Teooonher API allowed uninfected access to user data
This intended page included API The end point is called /docs,, Which automatically created documents from the application programming interface (supported by a product called Swagger UI) that contains the full menu of orders that can be executed on the application programming interface.
This document page was a major paper for all procedures that you can conduct on the Teoonher Application interface as a regular application user, and most importantly, as the application official, such as creating new users, checking user identity documents, moderate comments, and more.
API documents were also distinguished by the ability to inquire about API Teooonher and user data, which mainly allows us to recover data from the background server and display it in our browser.
Although it is not uncommon for developers to publish their applications interface documents, the problem here is that some API requests can be submitted without any authentication – passwords or credit data were not needed to return information from the Teoonher database. In other words, you can run orders on the application programming interface to access the private data for users that could not be accessed for the application user, not to mention anyone on the Internet.
All this was comfortably documented and the audience for anyone to see.
Requesting a list of users currently in the TEONHER ID Approval, for example – no more than pressing a button on the API page, nothing fiction here – dozens of account records will return to people who recently registered in Teoonher.
The records that were returned from the Teooonher server contained the unique users ’identifiers inside the application (basically a series of letters and random numbers), and the name of the general profile screen, its age and its self -reported location, along with their own email address. Records also included web address links that contain pictures of user driver licenses and corresponding personal photos.
Worse than that, the driver’s licenses, the identifiers issued by the government, and personal photos in the S3 Cloud server hosted by Amazon as available to the public for anyone with their own web addresses. This general setting allows anyone who has a link for someone’s identity documents that open files from anywhere without restrictions.
Using this unique user identifier, we can also use the API page to search directly for individual user records, which will repeat their account data and any associated identity documents. By unrestricted access to the application programming interface, the harmful user could spoil huge amounts of user data from the application, such as what happened with Tea application to start.
From the beans to the cup, that was about 10 minutes, and we haven’t logged in the application yet. It was very easy to find insects that it would be good luck if no one would find them harmful before we did so.
We have requested, but Lampkin will not say if he has technical ability, such as records, to determine whether anyone has used (or misused) the application programming interface at any time to access user verification documents, such as stripping web addresses from the application programming interface.
In the days that have passed on our report to Lampkin, the API Landing page, along with its documentation page, has now been dropped, and it now shows the status of the server that API works as “healthy” only. At least in fast tests, it seems that the application programming interface now depends on the approval, and the previous calls that were made using the application programming interface no longer operating.
Web addresses containing identity documents that have been uploaded to users have also been restricted.
Teooonher’s developer rejected efforts to reveal defects
Given that Teoonher did not have an official website at the time of our findings, Techcrunch has contacted the e -mail title included in the privacy policy in an attempt to detect security lapses.
But the email bounced a mistake that it cannot be found on the email address. We also tried to call Lampkin through the email address on its website, Newville Media, but our email bounced again with the same error message.
Techcrunch arrived at Lampkin via LinkedIn, and asked him to provide an email address where we can send details of safety defects. Lampkin responded entitled “General Support”.
When Techcrunch reveals a security defect, we continue to confirm first that the person or company is the right recipient. Otherwise, sending blind details about the security defect to the wrong person can create a danger. Before sharing specific details about the defects, we asked the recipient the email address “Support” if this is the correct address to detect security exposure that includes Teooonher user data.
“You should make us confused” the tea application “,” Lambin answered by email. (We had no.) “We do not have a security breach or data leakage.” (He did so.) “We have some robots at most but we haven’t expanded a large range enough to be in that conversation yet, sorry because you are misleading.” (We were not so)
I am satisfied that we have made a call with the right person (albeit not the response we received), Techcrunch shared details of safety defects, in addition to many links with the driver’s open licenses, and a copy of the private Lampkin data to emphasize the severity of security problems.
“Thank you for this information. This is concerned. We will jump on this now.”
Despite many emails for follow -up, we have not heard from Lampkin since we revealed security defects.
It doesn’t matter if you are one person’s program store or Weekend billionaire codingThe developers are still responsible for maintaining their user data safe. If you cannot keep the private data for users, do not create them to start.
If you have evidence of a famous application, service or information detection, contact it. You can safely call this reporter via the encrypted message in Zackwhittaker.1337 on the signal.
We are always looking forward to evolution, and by providing an insight into your view and comments in Techcrunch, coverage and events, you can help us! Fill This survey To inform us how to do and get a chance to win an award in return!
https://techcrunch.com/wp-content/uploads/2025/08/redacted-pii-tea-on-her-app-flat.jpg?resize=1200,617
Source link