For all apps about spilling beans about people you allegedly dated, it's ironic that Teaonher spilled the personal information of thousands of users on the open web.
Teaonher was designed to share photos and information about women that men claim to be dating. However, as Teaonher reported last week, the security in which Teaonher publishes user personal information, including user personal information and other government-issued ID documents, has punched a hole in security, just like the Tea that Tea was trying to replicate.
Apps like these gated communities were created superficially to allow users to share information about their relationships under the guise of personal safety. However, tinsel coding and security flaws underline the ongoing privacy risks inherent in requiring users to submit sensitive information to use the app or website.
Such a risk only worsens. Despite the privacy and security risks associated with storing databases of people's personal information, popular apps and web services must already comply with the Age Verification Act, which requires people to submit their own identity documents before being granted access to adult-themed content.
When TechCrunch published our story last week, it did not release any specific details of the bug we discovered in Teaonher. Instead, we decided to publish limited disclosures due to the growing popularity of the app and the direct risks that users face when using the app.
At the time of disclosure, Teaonher was number two on the Apple App Store's free app chart.
The flaws we found appear to be resolved. TechCrunch is now able to share how to find a user's driver license within 10 minutes of sending a link to an app store app, thanks to the ease of finding it in your app's public backend system or API.
App developer Xavier Lampkin did not respond to multiple requests for comments after submitting details about the security flaws. Lampkin also did not commit to notifying affected Teaonher users or state regulators that security was lapsed.
I also asked Lumpkin if a security review was performed before the Teaonher app launched, but there was no reply. (There will be more to be done about disclosure later.)
Now, start with the watch.
Teaonher published “Admin Panel” credentials
Before downloading the app, I first wanted to find a place where Teaonher is hosted on the internet.
This is usually a good place to get started as it helps you understand other services your domain has connected to on the Internet.
To find the domain name, I first looked at (accidentally) the list of apps in the Apple App Store and found the app's website. This is usually found in our privacy policy. This requires that you include the app before Apple lists it. (The list of apps claims that developers “do not collect data from this app.”
Teaonher's privacy policy was in the form of a public Google document that includes an email address for the Teaonher.com domain, but there was no website.
At the time, the website was not public, so we looked up the public DNS records for the domain because the website was not loading. This helps you identify which email server type and web hosting are hosted in your domain. I was also looking for a public subdomain that developers might use to host app features (or host other resources that probably wouldn't be publicly available).
However, looking at Teaonher's public internet records, there was no meaningful information other than a single subdomain, AppServer.Teaonher.com.
When I opened this page in my browser, the landing page for Teaonher's API was loaded (if I'm curious, I uploaded a copy here). The API allows things on the Internet to communicate with each other, such as linking apps to a central database.
On this landing page, I found a published email address and Plantext password (not far from the “password”) so that my Lampkin account can access Teaonher's “admin panel.”
The API page showed that the admin panel used for document verification systems and user management is located in “LocalHost”. This may be to the physical computer running the server and could not have access directly from the Internet. It's unclear if anyone could access the admin panel using their credentials, but this in itself was a surprising discovery enough.
At this point we were only 2 minutes.
Otherwise, the API landing page didn't do much other than providing indications about what the API could do. This page lists several API endpoints that your app needs to access for it to work, such as retrieving user records from Teaonher's database, such as leaving reviews and sending notifications.
With knowledge of these endpoints, it's easier to interact directly with the API, as if it were mimicking the app itself. Because all APIs are different, learning how the API works and how to communicate can take time, including the endpoints you use and the parameters you need to effectively speak the language. Apps like Postman help you access and interact with APIs directly, but this requires time and some trial and error (and patience), and the API needs to spit out the data.
But in this case there was an even easier way.
Teaonher API now allows for unrecognized access to user data
This API landing page contained an endpoint called /document, which contained an API auto-generated document (with a product called Swagger UI). This included a complete list of commands that could be executed in the API.
This document page was effectively a master sheet for all the actions you can perform in the Teaonher API, and as a regular app user and, more importantly, as an app administrator, creating new users, checking user ID documents, moderating comments, and more.
The API documentation also provides the ability to query the Teaonher API and return user data, which essentially allows you to retrieve data from the app's backend server and display it in your browser.
It's not uncommon for developers to publish API documents, but the problem here was that they could make some API requests without authentication. No password or credentials were required to return information from the Teaonher database. In other words, you can run commands on the API to access private data of users that the app's users should not be able to access, let alone anyone on the internet.
All of these were handy and public for everyone to see.
For example, requesting a list of users in the Teaonher ID verification queue – not just pressing a button on the API page, but there's nothing flashy here, but it returns dozens of account records to people who recently signed up for Teaonher.
Records returned from Teaonher's server included the user's unique identifier (essentially a random string of letters and numbers), the screen name of the public profile, and the self-reported age and location, as well as a private email address. The record also included a web address link containing a user's driver's license and a corresponding selfie photo.
Worse, these driver licenses, government-issued IDs, and selfie photos are stored in the Amazon Hosted S3 Cloud Server set so that anyone with a web address can make it public. This public setting allows anyone with a link to someone's identity document to open the file from anywhere without restrictions.
Two driver licenses published by a flaw in the Teaonher app (edited by TechCrunch). Image credit: TechCrunch (screenshot)
That unique user identifier also allows you to use the API page to directly search individual users' records and return account data and associated ID documents. Unsuppressed access to the API allowed malicious users to scrape off huge amounts of user data from the app, just like what happened with the TEA app from the start.
From bean to cup, it took about 10 minutes and I wasn't logged in to the app yet. The bug was very easy to find, so if we weren't malicious before we did, it would be pure luck.
We asked, but Lumpkin did not state whether he had technical capabilities such as logs to determine if he used (or misused) the API at any time to access the user's verification document, such as reducing web addresses from the API.
Since reporting to Lampkin, the API landing page has been removed along with the document page. This will only show the status of the server where the Teaonher API is running as “health”. At least in the CARSORY tests, the API appears to rely on authentication, and previous calls made using the API no longer work.
Web addresses containing the user's uploaded identity documents are also restricted from the public view.
Teaonher developers have rejected efforts to disclose flaws
Given that Teaonher had no official website at the time of the findings, TechCrunch contacted the email address listed in its Privacy Policy to disclose security lapses.
However, the email bounced back with an error saying that the email address could not be found. I also tried contacting Lampkin via his email address on his website, Newville Media, but our email bouncing off with the same error message.
TechCrunch has asked us to reach Lampkin via LinkedIn message and provide an email address where we can send details about the security flaw. Lampkin responded with a generic “support” email address.
When TechCrunch discloses a security flaw, it first confirms that the person or company is the correct recipient. Otherwise, blindly sending security bug details to the wrong person can pose a risk. Before sharing specific details about the defect, we asked recipients of our “Support” email address if it was the correct address to disclose security exposures that contain Teaonher user data.
You need to be confused with “The Tea App,” Lampkin replied via email. (We didn't have it.) “There's no breach or data leaks,” he said. (It did.) “We have at most a few bots, but we haven't scaled big enough to get involved in that conversation yet. We're sorry you've been given the misinformation” (we didn't).
We were pleased that we had established contact with the right person (though it's not the answer we received), and TechCrunch shared details of the security flaws, as well as some links to the exposed driver's license, as well as a copy of Lumpkin's own data to highlight the severity of the security issue.
“Thank you for this info. This is very worrying. I'm going to jump on this right now,” Lumpkin said.
Despite some follow-up emails, I haven't heard from Lumpkin since revealing a security flaw.
It doesn't matter if you're a solo software shop all weekend or a millionaire vibe that codes on the weekends. Developers are responsible for keeping your data safe. If you can't keep your users' private data safe, don't build it from the start.
Please contact us if you have any evidence that a popular app or service is leaked or published. You can safely contact this reporter via a message encrypted with Zackwhittaker.1337.