Exposed: TeaOnHer Leaked User Driver’s Licenses in Minutes
▼ Summary
– TeaOnHer, a dating-gossip app, exposed users’ personal information, including photos of driver’s licenses and government IDs, due to security flaws.
– The app’s API allowed unauthenticated access to user data, making sensitive documents publicly retrievable without passwords or credentials.
– Despite being contacted, the app’s developer, Xavier Lampkin, dismissed initial concerns and failed to respond to follow-ups about the security issues.
– TechCrunch chose limited disclosure to avoid aiding potential bad actors, noting the app’s popularity (#2 on Apple App Store) and immediate user risks.
– The security flaws were resolved after disclosure, but the incident highlights broader privacy risks in apps requiring sensitive user data submissions.
A dating gossip app designed for men to share information about women they’ve dated has exposed thousands of users’ sensitive personal data, including driver’s license photos and government-issued IDs. The app, TeaOnHer, suffered from glaring security flaws that made private information easily accessible to anyone with minimal technical knowledge.
TeaOnHer was marketed as a platform where men could post details about their dating experiences under the guise of safety. However, weak security measures and poor coding left user data vulnerable. The app’s backend system, including an unsecured API, allowed unauthorized access to personal records, identity documents, and email addresses without requiring authentication.
Within minutes of investigating, security researchers discovered that TeaOnHer’s API documentation was publicly available, revealing endpoints that could retrieve user data. Shockingly, no login credentials were needed to access this information. A simple API request returned profiles containing names, ages, locations, and links to uploaded ID photos, many of which were stored on an Amazon S3 bucket set to public access.
Even more concerning, the app’s admin panel credentials were exposed in plaintext on an open API landing page. The login details, nearly as weak as “password,” could have granted unauthorized access to the system managing user verification and moderation. While it’s unclear whether malicious actors exploited these flaws before they were fixed, the risk was undeniable.
Despite repeated attempts to notify the developer, Xavier Lampkin, responses were dismissive at first. Initially denying any security breach, Lampkin later acknowledged the issue but failed to follow up on whether affected users or regulators were informed. The API documentation and exposed data have since been restricted, but the incident highlights broader concerns about apps collecting sensitive information without proper safeguards.
This case underscores a critical lesson for developers: If an app handles personal data, security cannot be an afterthought. Whether built by a solo developer or a large company, failing to protect user information can have serious consequences. For those who suspect similar vulnerabilities in other apps, reporting them responsibly is essential to preventing further exposure.
If you have information about security flaws in popular apps, consider reaching out to cybersecurity experts or journalists who can investigate responsibly. Protecting user privacy should always be a priority, especially when handling sensitive documents like driver’s licenses and government IDs.
(Source: TechCrunch)
