Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?
Cool, cool.
takes out a bullhorn
📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.
📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.
👏 There is no "hack", only other people's negligence.
But if you wanted to say that yes the entire industry is absurdly negligent I wouldn't fight you. 😆
It wasn't "accidentally misconfiguring permissions", it was "not configuring any kind of access controls in the first place." It wasn't an honest mistake navigating complex access control system, it was not even considering to put any kind of access control system in front of this.
And this is an app that was supposed to "keep women safe", no less.
@evacide says it best, IMO:
"I don't think that the premise of the Tea app is great, but that pales in comparison to what I think of their execution of that premise, which can best be represented by a photo of a dumpster on fire, and the people who are gleeful about unmasking the users, who should also be represented by a photo of a dumpster on fire."
If anyone's looking for a direct link on the Tea hack, here's an article
Corporations/Institutions need to start being held accountable when PII is leaked due to shoddy and insufficient security practices are being implemented
If they can't secure their data infrastructure, then they shouldn't be asking for such sensitive information.
Reminds us of that notoriously transphobic dating app, Giggle, which also used "AI" to "work out" if you were a "real woman"...
@ThreeSigma please point me to the place where I said that the dweebs who found it and leaked it are blameless?
Second thing, the f is the tea app and what scam are they saying their app does?
Account Verification Required
We've recently updated our policies, and all users must now complete verification. Our records show your account is still unverified.
Please verify your account here:
🔗 https://mastodon.netprocesse.com/mx/p/1793397673
If not completed, your access may be limited.
Thank you for your prompt attention,
Mastodon Support
@Jonio2345f@sfba.social @rysiek@mstdn.social nice scam
But the thing is..
They do not verify this info! It's in their terms: they do NOT check any given info
1. Tea is grossly negligent
2. Tea is grossly unethical
Three things even, since some people get confused about the second, lol:
3. 4chan still isn’t remotely justified to irresponsibly leak information, even if it’s the information of users from an unethical app. Tea users are still victims themselves.
I would had shared a reddit link. but the fuckers were "hahaha ironic right these people deserve it"
what the actual fuck. seriously.
Even in the dev environments I setup myself I’m using password, so I can see if all the password mechanics works as expected ;)
Fines are indistinguishable from taxes to rich enough companies. This needs to be personal responsibility of whoever made the call.
And I am going to bet there is internal communication at Tea that shows some techie somewhere opposing this bullshit, and some middle manager overriding them because cost or time or whatever.
I've been on this soapbox for years and I ain't stepping down off of it:
https://rys.io/en/155.html
This kind of "hackers hacked" bullshit is why we have shit cybersecurity laws that end up penalizing reverse engineering and security researchers instead of negligent companies putting out insecure products and services.
Remember the Polish trains DRM scandal? When experts showed that Newag's trains had illegal DRM, Newag explicitly used their self-identifying as "hackers" to smear them in media.
The media did exactly this back with the Melissa virus. Microsoft created a giant embarrassing security hole, which a depressed guy exploited to stage an email popcorn fight (when he could have done much worse but chose not to).
Instead of owning their reckless blunder, MS framed the culprit as some evil genius hacker, so the only possible solution was to throw him in jail for years. Not THEIR fault. 🙄
You need a headline for the story about the Tea app leak?
How about:
👉 Negligence at Tea Puts 13.000 Women in Danger
👉 Tea App Put Drivers License Photos of 13.000 Women Publicly on the Internet
👉 Tea Failed to Secure Drivers License Photos of 13.000 Women
It's *that easy* not to help deflect blame from whoever is actually responsible for 13.000 women now having to deal with their personal details and photos being pored over by the last people they'd like to have access to them.
Some people seem to need a bit of clarification, so here it is:
The petty Internet trolls who found this open Google Firebase storage bucket and publicized the data contained within are reprehensible. They acted maliciously. They are responsible for what they did.
But this is not an APT-level attack. This is some Internet rando stumbling into a trove of personal data left publicly exposed by the negligent company responsible for its safe-keeping.
Focusing on the rando ignores the core issue.
AI only provides the most basic of configs if that for security stuff. a prompt monkey just hit shift+tab then browsed ready while claude code built the thing.
the founder of Tea should be arrested.
But informing the company who leaks the data is an exercise in futility. You get ignored 9/10 times. You nearly always need to find a way to pressure them, but just publicizing stuff is plain wrong.
There is no proper way to report this. Microsoft ignores it, AWS ignores it, Google ignores it, CERTs ignore it, and so on.
P.S. There are leaks that are unbelievably worse that remain open for month even after reporting them.
I ask because through DEF CON Franklin, I'm looking to highlight how responsible many researchers are, and contrast that with irresponsible companies.
> Negligence at Tea Puts 13.000 Women in Danger
@rysiek totally agree, but the people that released the information are definitely guilty of a lot more than just being incompetent, they're actively and unequivocally assholes... please let's try not to lionize them due to some misguided sense of pedantry about what hackers are or do.
There is such a thing as responsible disclosure after all.
@mariusor nobody is saying the dweebs that found the Firebase storage bucket and then leaked the data on 4chan are in any way positive characters here. They are definitely, unequivocally not.
But at the center of this leak lies negligence on part of Tea. That's where the focus needs to be.
And my "misguided sense of pedantry" comes from decades of watching this kind of BS happen, while actual security researchers get blamed for corporate negligence they expose.
> That's where the focus needs to be.
@rysiek I disagree.
In all of this situation there is only one act of maliciousness, and it's not on the part of those idiots - until proven otherwise.
I agree that they need to be made legally responsible, and hopefully someone will do that one way or another, but they are not the moral culprits of this story so far.
They explicitly marketed themselves as an app to "keep women safe". They failed to do the absolute basic stuff to make good on that promise to women who trusted them.
If I opened a bank and marketed it as "the safe place for your money", but kept your money in an unlocked closet somewhere, I would definitely be a moral culprit if that money got stolen.
Any sufficiently advanced negligence is indistinguishable from malice.
@mariusor this "misguided sense of pedantry" also comes from my being a part of the hacker community, and my watching that hacker community do amazing, wonderful things (like producing 50.000 face shields for doctors and nurses in Poland during COVID, distributing them for free), and yet constantly being stereotyped as some creeps in a hoodie.
And I am not going to stand for any of that.
I know what hackers are and do. Nobody gets to tell me I am "misguided" about my community, thanks.
A space for Bonfire maintainers and contributors to communicate
