Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
For an app that something differentish, it is in more, more than approaching goes to real falls by the its personal information of his users to the open web.
Teahonher was designed for men to share photos and info about women who claim to be an appointment. But very much like You, the Gossip app for women Was trying to replicate, tea, the gaping holes in their security that the personal information of users, including the pictures of their government identity, as TECHCRUNCH REPAINED last week.
These connunngariously apps were created ostensibly to leave users’ users on their relationships under the personal security guise. Although the flaws and security security faults in the usernames in the usernames to submit sensitive information to use app and websites.
Such a risks are just for worse; The popular app and web services are already respects with age verification laws that require people to Submit their identity documents First can be granted to the temporary content to adults, despite the risks of privacy and security associated with the personal information database.
When Techcury posted our story last week, we have not covered special details of the bug that discover in you instead, We decided to publish a limited disclosureDue to the popularity of rises of the app and immediate apples that users to face when using the app.
As for the time of disclosure, toonher was # 2 in free app card on the Apple Apple app, a position also held by the app today.
Defects we found they appear to be resolved. Techcrunch can now share how we can find the licenses of the user’s driver licenses in the app in the App Store, thanks to the backs backs
The app developer, Xavier flash, did not answer the details of the details of details, nor to blow users of the lap of security lapse.
We also asked flankin if any security reviews were taken before the teone app was launched, but we have no response. (We have more than disclosure later.)
Okay, start the clock.
Treeeon Exposed ‘the panel credentials
Before we discharged the app, we first need where the tea of ineoner has been lifted on the Internet
This is usually a good place to start having to help you understand that other services the domain is connected on the Internet.
To find the domain name we have previously kept (by chance) to the The app list on Apple App Store to find the app website. This can usually be found in their privacy policy, which app must include before Apple lists it. (App the app also says the developer “do not collect any data from this app”, that is demonstrally fake, so take it so like you.)
Tea’s tea policy was in the form of Google Doc Doc, which includes an email address with a teaonher.com Domain, but no website.
The website is not published in time, so with no website of the website, we will look at the domain, which can be heard on the domain, as the type of email or the type of email. We also wanted to seek any public subdomore that the developer could use for the functionality functionality for the app (or host other resources that should probably not public), as admin dashboards, database, or other services of the web.
But when we look at the public memories of tea on you, you had no significant information than a single subway, appserver.teaonher.com. I am
When we opened this page in our browser, what has loaded was the land of the attachment for tea of tea (for curious, We have climbing a copy here). A simply allow things on the internet to communicate with each other, as league an app to their central database.
Was on this page of the landing we found the exposed email address and plaintext password (that it was not so far “Password”) For the flampin account to access the Teeonher’s administrator panel. “
The API page has displayed the verification panel and the user’s verification system, it was directly, that it may not have to be clear of the credentials to access the Admin Panel
At this point we were only about two minutes in.
Otherwise, the API landing page did not do much other than offers some indication for what the apes can do. The page listed several EPI Endes, which app needs to access the order to fit, users of the user’s database to.
To the knowledge of these stuns, may be easier to interact with the API directly, as we make imitating shi. Each API is different, then adreping OPH produces and how to take time to understand, like figsometers left in effectively their tongue. Apps as the posting can be useful for access and interact directly with apis, but this requires time and a test point and error (and patience)
But in this case, there was a easiest way.
The Teeonher Api has allowed non-authentic access to user data
This API landing page included a summoned purpose /docscontaining the automatic of the automatic documentation (fueled by a product called swagger) containing the full list of commands that can be performed on the API.
This documentation page has been effective a friend’s sheet of all actions you may not from the actions of the teaonher, as an Apple’s amilector, check the identity papers, and more.
The API documentation has also dragged Teoonher’s Tea capacity, essentially to leave data data from BACKEND.
While not common for developers to publish your APPE you have a API application without any authentication – no beliefs of the tender. In other words, you can understand the commanders in AOPI to access users ‘users’ data you should not be accessible to the application of the app, let alone ask you in the Internet.
All this was conveniently and publicly documented for someone to see.
Requesting a list of users currently in the verification of the identity of you, for example – not more than one API button, nothing fantastic of the account
The records returned from the unique server server in the app (essentially a string and random numbers), their screen name, with their private email address. The records include the web address links that contain the pictures of the Driver’s Licenses and the corresponding selfs.
Worse, these government licenses, government’s licenses, and self-kept are kept in an amazon-Hosted-Hosted server as publicly accessible to someone web addresses. This public parameter allows someone with a link to someone’s identity papers opens the files from no part of no restraints.
With that unique user identifier, we can also use the API page to store Indian users registrors, that will turn their account data and any of their associated identity With access not allowed to the celeadable user could have written huge amounts of use data from the app, many as it happened The app’s app to start with. I am
By faagier to Cup, that was about 10 minutes, and we hadn’t been connected to the app yet. The bugs were so easy to find that it could be a fortune if none of it before we
We asked, but flashin would not say if he has to determine if someone had used (the user verification documents, as scraping users from the API.
In the days from our flampin report, the footpoint page. At least on the cursory tests, the API now seems to trust the authentication, and earlier calls used the API is not working anymore.
Web addresses containing the usership identity documents also have been limited by public view.
The Teonhers developer has wasted efforts to disclose defaults
Date that the self had no official website of our findings, teethocrrunch in the email address listed on an effort to disclose security laps.
But the email saved again with an error saying that the email address could not be found. We have also found to dispose flightbacks through the email address in their website, its Newville site, but our e-mail has recovery with the same error message.
Techchcrubrrirch returns flashin via LinkedIn, begging for an email address where we can send the details of security defaults. Lambkin replied with an email address “Support” in response.
When the Techcrunch discloses a safety flow, we have to repair to confirm before a person Oa company is the correct recipient. Otherwise, sending blinds of a security bug to the wrong person could create a risk. Before sharing specific details, we requested the recipient of the “SUPPET” “SUPPETE” WERE WAS THE CURRENT address to disclose an exposure to your man.
“You should be confused with ‘the App’ App ‘,” Lamkkin’s responded by email. (We don’t.) “We don’t have a safety safety or data”, he said. (He made.) “We have some bots to most but we have not climbed large enough to be in that conversation as well as you are wrong.” (We were not)
Satisfied that he had set up with the correct person (Albeness not with the answer we received), as a lot of security, and a copy of the severe of the security problems.
“Thank you for this information. This is very concerned. Let’s get to jump to this now”, she flying.
Despite many follow-up emails, we did not hear from flashin since we have disclosed security defaults.
It doesn’t matter if you are a person’s software store or A billionaire codes of vibe through a weekend: Developers still have a responsibility to keep their users’ data. If you can’t keep the private data of your users, they don’t build to start with.
If you have evidence of a popular app or filter service or exposing information, contact. You can contact this reporter via the encrypted message to zackwhittaker.1337 on the sign.
