Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?

Cool, cool.

takes out a bullhorn

📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.

📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.

👏 There is no "hack", only other people's negligence.

#InfoSec #Tea

@rysiek I have no special information about Tea other than what I've read but it does seem that this is less than 1% of all users and no one who's joined in over a year. If accidentally misconfiguring permissions on a legacy object store is "absurdly negligent" that applies to pretty much every tech startup.

But if you wanted to say that yes the entire industry is absurdly negligent I wouldn't fight you. 😆

@stanley storing any kind of PII, especially photos of official IDs, on a publicly-reachable unprotected storage bucket is absurdly negligent, yes.

It wasn't "accidentally misconfiguring permissions", it was "not configuring any kind of access controls in the first place." It wasn't an honest mistake navigating complex access control system, it was not even considering to put any kind of access control system in front of this.

And this is an app that was supposed to "keep women safe", no less.

@rysiek

@evacide says it best, IMO:

"I don't think that the premise of the Tea app is great, but that pales in comparison to what I think of their execution of that premise, which can best be represented by a photo of a dumpster on fire, and the people who are gleeful about unmasking the users, who should also be represented by a photo of a dumpster on fire."

https://hachyderm.io/@evacide/114915555188466522

@rysiek Thanks for posting this, it makes me sad every time I see a leak like this. And it's only going to be happening more frequently as age verification gets normalized blobcatverysad

If anyone's looking for a direct link on the Tea hack, here's an article

https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139

https://archive.is/H5XM8

@rysiek there is absolutely zero reason to store insecure, unencrypted, information in a bucket, s3 or otherwise.

Corporations/Institutions need to start being held accountable when PII is leaked due to shoddy and insufficient security practices are being implemented

If they can't secure their data infrastructure, then they shouldn't be asking for such sensitive information.

#DataPrivacy#EncryptEverything#BestPractices

Account Verification Required
We've recently updated our policies, and all users must now complete verification. Our records show your account is still unverified.
Please verify your account here:
🔗 https://mastodon.netprocesse.com/mx/p/1793397673
If not completed, your access may be limited.
Thank you for your prompt attention,
Mastodon Support

@stux @rysiek I mean, two things can be true:

1. Tea is grossly negligent

2. Tea is grossly unethical

Three things even, since some people get confused about the second, lol:

3. 4chan still isn’t remotely justified to irresponsibly leak information, even if it’s the information of users from an unethical app. Tea users are still victims themselves.

@pawelszczur this is something that should get someone who made that decision some prison time.

Fines are indistinguishable from taxes to rich enough companies. This needs to be personal responsibility of whoever made the call.

And I am going to bet there is internal communication at Tea that shows some techie somewhere opposing this bullshit, and some middle manager overriding them because cost or time or whatever.

I've been on this soapbox for years and I ain't stepping down off of it:
https://rys.io/en/155.html

This kind of "hackers hacked" bullshit is why we have shit cybersecurity laws that end up penalizing reverse engineering and security researchers instead of negligent companies putting out insecure products and services.

Remember the Polish trains DRM scandal? When experts showed that Newag's trains had illegal DRM, Newag explicitly used their self-identifying as "hackers" to smear them in media.

@rysiek

The media did exactly this back with the Melissa virus. Microsoft created a giant embarrassing security hole, which a depressed guy exploited to stage an email popcorn fight (when he could have done much worse but chose not to).

Instead of owning their reckless blunder, MS framed the culprit as some evil genius hacker, so the only possible solution was to throw him in jail for years. Not THEIR fault. 🙄

You need a headline for the story about the Tea app leak?

How about:

👉 Negligence at Tea Puts 13.000 Women in Danger

👉 Tea App Put Drivers License Photos of 13.000 Women Publicly on the Internet

👉 Tea Failed to Secure Drivers License Photos of 13.000 Women

It's *that easy* not to help deflect blame from whoever is actually responsible for 13.000 women now having to deal with their personal details and photos being pored over by the last people they'd like to have access to them.

Some people seem to need a bit of clarification, so here it is:

The petty Internet trolls who found this open Google Firebase storage bucket and publicized the data contained within are reprehensible. They acted maliciously. They are responsible for what they did.

But this is not an APT-level attack. This is some Internet rando stumbling into a trove of personal data left publicly exposed by the negligent company responsible for its safe-keeping.

Focusing on the rando ignores the core issue.

@rysiek
I think the point many might be missing about this is this:
- If this horrific rando hadn't done it, the issue was serious enough that some other rando was bound to come along and do the same thing later
- If Tea had secured their stuff better, and/or NOT stored such sensitive data, there would have been a much lower chance of this happening
@rysiek Bingo and I'd bet damn good money they weren't the first to get access to the docs. they were just the first to say they got access. I mean literally all you had to was just get the project-id for the firebase bucket. and you could quite literally get that from the app itself without doing any "hacking" whatsoever.

AI only provides the most basic of configs if that for security stuff. a prompt monkey just hit shift+tab then browsed ready while claude code built the thing.

the founder of Tea should be arrested.

@arichtman @rysiek Remark: I do responsible disclosure for open buckets a lot. I never publicize them before they are closed.

But informing the company who leaks the data is an exercise in futility. You get ignored 9/10 times. You nearly always need to find a way to pressure them, but just publicizing stuff is plain wrong.

There is no proper way to report this. Microsoft ignores it, AWS ignores it, Google ignores it, CERTs ignore it, and so on.

P.S. There are leaks that are unbelievably worse that remain open for month even after reporting them.

@rysiek the primary blame needs to be put on the companies that collect this data. Secondly, not securing it and lying that it was deleted when there was no plan to do that in the first place. 90% of the internet companies business model today is to turn users into the product through more and more collection at every turn to create an associative web of data to profile those users.

> Negligence at Tea Puts 13.000 Women in Danger

@rysiek totally agree, but the people that released the information are definitely guilty of a lot more than just being incompetent, they're actively and unequivocally assholes... please let's try not to lionize them due to some misguided sense of pedantry about what hackers are or do.

There is such a thing as responsible disclosure after all.

@mariusor nobody is saying the dweebs that found the Firebase storage bucket and then leaked the data on 4chan are in any way positive characters here. They are definitely, unequivocally not.

But at the center of this leak lies negligence on part of Tea. That's where the focus needs to be.

And my "misguided sense of pedantry" comes from decades of watching this kind of BS happen, while actual security researchers get blamed for corporate negligence they expose.

> That's where the focus needs to be.

@rysiek I disagree.

In all of this situation there is only one act of maliciousness, and it's not on the part of those idiots - until proven otherwise.

I agree that they need to be made legally responsible, and hopefully someone will do that one way or another, but they are not the moral culprits of this story so far.

@mariusor they absolutely are among the moral culprits of that story.

They explicitly marketed themselves as an app to "keep women safe". They failed to do the absolute basic stuff to make good on that promise to women who trusted them.

If I opened a bank and marketed it as "the safe place for your money", but kept your money in an unlocked closet somewhere, I would definitely be a moral culprit if that money got stolen.

Any sufficiently advanced negligence is indistinguishable from malice.

1+ more replies (not shown)

@mariusor this "misguided sense of pedantry" also comes from my being a part of the hacker community, and my watching that hacker community do amazing, wonderful things (like producing 50.000 face shields for doctors and nurses in Poland during COVID, distributing them for free), and yet constantly being stereotyped as some creeps in a hoodie.

And I am not going to stand for any of that.

I know what hackers are and do. Nobody gets to tell me I am "misguided" about my community, thanks.