There is an app called Tea which purports to be a tool to protect women’s safety — it allows women to share info about the men they’ve been dating.
Tea launched back in 2023 but this week skyrocketed to the top of the U.S. Apple App Store, Business Insider reported. The app lets women anonymously post photos of men, along with stories of their alleged experience with them, and ask others for input. It has some similarities to the ‘Are We Dating The Same Guy?’ Facebook groups that 404 Media previously covered.
“Are we dating the same guy? Ask our anonymous community of women to make sure your date is safe, not a catfish, and not in a relationship,” the app’s page on the both the Apple App Store and Google Play Store reads.
When creating an account, users are required to upload a selfie, which Tea says it uses to determine whether the user is a woman or not. In our own tests, after uploading a selfie the app may say a user is put into a waitlist for verification that can last 17 hours, suggesting many people are trying to sign up at the moment.
I’m already dubious — they use a photo of the applicant to determine their sex? That’s sloppy, and I can see many opportunities for false positives and false negatives.
But that’s not the big problem. The Tea database got hacked…by 4chan.
Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,a post on 4chan providing details of the vulnerability reads.DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
Congratulations. Your personal info has just been delivered to the worst collection of slimy sleazebags on the internet.
I’m just shocked that this app went live without the most rigorous evaluation of its security. You’re collecting scans of driver’s licenses with selfie photos, with only the most rudimentary precautions? What else? Social security numbers, bank accounts?
Just like all the other social-media-like sites, this one is an open invitation to be dishonest, gossipy and completely toxic.
PZ wrote: I’m just shocked that this app went live without the most rigorous evaluation of its security.
I reply: the number one rule of these businesses is ‘roll it out now, we’ll fix it later’ only, IT IS NEVER FIXED LATER. And, they are never held accountable for the damage they allow to be done by their irresponsible behavior.
Privacy and personal safety is a thing of the past in the ‘surveillance state’ in which we live.
I’m reminded of ‘Social Autopsy’, Candace Owens’ proposed anti-bullying name-and-shame platform, which was basically a doxxing platform right in the design. When she was told that this was a bad thing and that in the best case it would become another method cyberbullies used to mess with their targets, she had a meltdown, accused Zoe Quinn of trying to destroy her, and joined up with Gamergate because they understood her/buttered her up. (So much for being ‘anti-bullying’.) Her slide down to being one of the nuttiest of the right-wingnuts proceeded apace.
Any ‘simple solution to a complex problem’ is pretty much guaranteed to be at the very least not well thought-out, and that’s assuming it wasn’t basically just a scam to collect information to start with. It’s hard to tell.
A little different perspective in this CNET article on the breach. Not sure I would believe the “more than two years ago” bit or why that would matter. Also note that while they allow selfies, they don’t require them. The gold standard seems to be photo IDs, aka driver’s license. That doesn’t seem more secure and personally I would never post my driver’s license to a website.
I mean, I loathe those 4chan freaks, but even I have to admit feeling a bit of schadenfreude with respect to the people who were doxxed. I get the impulse to help others by sharing information on people who demonstrated toxic behaviour, but firstly, I know that toxic behaviour is not the only thing those members would be sharing (because I know that inane gossip is part of the human condition), and secondly, how dumb do you have to be to willingly share your photo and driver’s license with a nascent app, one that has not proven it deserves your trust (do any tech companies deserve your trust, I ask, somewhat wistfully)?
Coincidentally, today is the first day of a new UK law that requires people to prove they are 18 to view pr0n, and while there are some less invasive ways to do so, uploading government-issued photo ID is one of the methods. It is claimed that the data is encrypted after the confirmation has taken place, and henceforth the only one who can decrypt it is the user…but we’ve heard such reassurances in the past, and massive data breaches still happened. Frankly, I am shocked that a law this Puritanical and anti-privacy could ever have been passed in any democratic nation, but invasive, Puritanical laws are increasingly common the world over these days, including in many American states. It seems some people just can’t help but fight to remove their own rights and freedoms. “For the children!” they cry. Effing ridiculous.
I have to wonder what is going on inside the heads of people who would upload a photo of themselves and a scan of their drivers licence at the behest of a random app they installed on their phone.
@3, jenorafeuer
there were other similar type of things as well. Peeple faced a huge backlash, apparently. [for some reason i thought that the fact that it required phone numbers was scandalous too? if so, wish we could go back to that].
one that seemed to be working was that couch surfing website:
https://www.researchgate.net/publication/220775717_Surfing_a_Web_of_Trust_Reputation_and_Reciprocity_on_CouchSurfingcom
@5, VolcanoMan
trust seems to be a key thing, ya
@6, steve oberski
i think it was air bnb that requires a photo of your government photo identification. whatever app it was, such things do exist
That photo could come from anywhere.
Just take one off of Facebork or Myspace.
It could be photoshopped or AI produced these days.
I knew the Internet was dangerous two decades ago when I started getting death threats.
I’ve lost track of how many times my personal information has been hacked.
It has never, ever been anything I’ve done.
Once it was my medical insurance company.
A credit card company.
A state of California government agency.
A Federal government agency.
I get these form letters that tell me that 5 million accounts have been downloaded to Borneo and mine might have been one of them.
Then they offer to enroll me for free in a credit watch program for 18 months.
I’m sure if you wanted my social security number, it is for sale on the Dark Web for a nominal sum from China or Burma.
I don’t think it’s good to blame that the user can l are not savvy enough to avoid uploading driver’s license to a nascent app.
IMO Tea should be sued into bankruptcy with its leader having some legal consequences for them blatantly saving these images in the first place, then putting no effort in securing access to these data. Seriously, a public bucket for user identifiable data unencrypted (no, “legacy data systems” don’t cover your ass, especially when it is still hosting live data)? They deserve the entire legal library thrown at them.
No precautions, nuthin’. Hence the channer’s description: “It’s a public bucket”.
This is security by obscurity. It never works, and the people who wrote the app were probably hoping they would never get caught. I have my suspicions that the devs were going to leak this on purpose if 4chan hadn’t beaten them to the punch.
Worth remarking on this story, perhaps:
https://techcrunch.com/2025/07/21/serial-spyware-founder-scott-zuckerman-wants-the-ftc-to-unban-him-from-the-surveillance-industry/
Techbro creates stalkerware/spouseware (apps planted by someone with physical access to a phone) which leaks all the personal data collected/stolen from users, is sanctioned by the FTC in a 5-0 vote, resumes business less than a year later, receives further sanctions and orders to have regular external audits performed, ignores all that, and petitions a newly restructured FTC that’s perceived to be more friendly to profits and crime and whatnot to get rid of all the messy paperwork and allow him to get back to leaking stolen data on the open Internet.
I’m feeling a bit cynical over the prospect that my comment on the FTC’s docket will make a difference (comment link in TC article), but what else can one do when one isn’t named Luigi?
I guess these developers realize the general user is not concerned about their digital/electronic footprint floating around in cyberspace. I’m apathetic regarding these reports revealing how stupid people are. It doesn’t affect me anymore. No more sighs or shaking of my head. Basically, eh.
@OP–
4chan is the second worst collection of slimy sleazebags on the internet after 8chan, the group that broke away when 4chan started blocking child pornography.
VolanoMan@5–
[1] I don’t think this is even close to schadenfreude-worthy. I know it isn’t the smart way to handle personal ID, but given how many people lose their details to scammers and scrapers over trivial things like shopping points, or through the fault of other people (apparently it is legally impossible to punish a company for lapses in information protection), I can’t find it in me to enjoy the pain of people just trying to avoid being misled/drink-spiked/raped by their dates.
[2] “It is claimed that the data is encrypted after the confirmation has taken place, and henceforth the only one who can decrypt it is the user…” Yeah, that’s a huge red flag that this is just security theatre. If only the user can decrypt the image then nobody else can check it. If anyone other than the user can access the decrypted file then it can be copied. Either way, it fails as an ID tool.
A system like this could work as a central ID database that anyone can check if the user gives permission, but even this does not protect users from social hacking, malware, extortion, or security failure on the database end.
It is not enough with the extant delinquents circling the victims. Now Trump is bringing in murderers from abroad
MSNBC: “Triple murderer freed from prison, brought back to U.S. by Trump”
.https://youtube.com/shorts/nGawaY35D2g
To paraphrase Trump. The State Deparment is not sending America the best people. They are sending murderers.
@chrislawson:
Yeah, no kidding.
For one thing, if it can be decrypted at all, that means there is a way to decrypt it. Constraining that to ‘only the user can decrypt it’ is pure theatre; just witness the fact that there have been multiple key leaks from DVDs over the years, and that the DVD format was specifically designed with the ability to have a revocation list for keys. There was a whole hell of a lot of money and talent going into making DVDs as close to unbreakable as possible, and they couldn’t manage it.
There’s a reason why the standard password handling method for decades has been hash-based. You don’t store a password that can be decrypted in any way; instead you store a random ‘salt’ value and a hash code made by running that salt and the password through a complicated algorithm. (The salt exists so that even if two people use the same password, you’ll get different saved results.) When someone enters a password you read the salt value and run it and the password through the algorithm again, and check that the results match.
The less information you store in any way that is even theoretically reversible, the safer the information is.
The main slime media is USELESS, incomplete, biased and cowardly. Here it is the 28 July, three days after PZ wrote this article and we are just now seeing on network TV news about the stupidity and danger of this social media debacle.