Newsletter Issue #170: The Tea App Breach

When vibe coding goes wrong

What Happened

The recently viral app suffered a leak upwards of 60GB of images

• The original report was that this included 13,000 selfies and photo IDs submitted for account verification

• Now, it’s at 72,000 photos and 1.1 million user DMs

Here’s some backstory for those unfamiliar.

The app is women only and anonymous, but requires a photo upon sign up (Driver’ License, etc.), for verification purposes. This then follows a process where the user is accepted/approved into the app.

It’s eyebrow raising how the app claims to delete these photos after verification. This data leak proves otherwise.

On top of this, the metadata appears to have been preserved on the uploaded photos. Meaning they included geolocation data. Combine this with the Driver’s License photos, and you can see where this is going.

Some 4chan users have already used this data to create maps of Tea App users.

Can't make this stuff up.

From the initial statement, the content accessed was part of the legacy storage system and was “not migrated” to the newer system.

Here’s a link to a script that pulled down the images from the public Firebase bucket.

Absolutely crazy that this worked for something that made it to #1 on the App Store.

Here’s the original statement from Tea App

Make of that what you will.

Even more puzzling is how this even got out to the masses in the first place.

How did an app with so many design and security flaws make it to the app store?

How did it seemingly make it through many code reviews, and lasted this long?

First thoughts after reading the developments of this data breach was “this is a vibe coded” app gone wrong.

The app was founded in 2023, so this could be the case, although vibe coding took off last year ¯\_(ツ)_/¯.

Whatever the case, this looks like negligence on the developers part. It just doesn’t seem like any meaningful threat modeling was done.

In the meantime, the app has disabled direct messaging as a mitigation while their investigation continues.

A brief recap of the things that went wrong here

• Broken Access Control

• Publicly accessible firebase bucket

• Failure to comply with their own privacy policies

• Preservation of metadata in photos

There is already a class-action lawsuit filed.

There will undoubtedly be more we learn about this leak as the week goes on.

Ironically, the app that was supposed to be made for women and their safety ends up exposing them.

Wild stuff.

---

What I Read This Week

• Tea app leak worsens with second database exposing user chats

  • Is it really a hack if the bucket data was public?

  • Included it here again, cause its so mind boggling
    

• Incentives for Security: Flipping the Script

  • Makes the case for a change in the messaging

  • I have definitely seen this. It’s hard to get Security at the forefront of the budget when it isn’t framed as aligning with the business (risk)

Breaches

Minnesota activates National Guard after St. Paul cyberattack

• “St. Paul has requested cyber protection support from the Minnesota National Guard to help address this incident and make sure that vital municipal services continue without interruption."

• Make me think if this will be a pattern going forward of municipal and federal collaboration, as cyber attacks to city’s systems become more prevalent.

• NASCAR Confirms Personal Information Stolen in Ransomware Attack

  • This incident was discovered on April 3, but notices to users started last week

  • The Medusa ransomware group is claiming responsibility (credit) added it to its Tor-based leak site

---

Wrapping Up

Some parting thoughts. This is a symptom of a greater problem in today’s times.

An app of this nature making it to the top of the App Store, only to end up in a doxxing of its users.

This reminds me of a blog post I read awhile back. It goes over aspects of the loneliness epidemic that has unfolded in our times. A lot of it is being capitalized on by apps.

See you in the next one

---