For an app that you are allegedly dating, about spreading beans on it, it is ironic that the Toner was taking personal information of thousands of its users to the open web.
Teaonher was designed for men to share photos and information about women they claim that they are dating. But like tea, the dating-gossip app for women, which was trying to repeat it, had pierced his safety, which highlighted the personal information of his users, including their driver’s license and pictures of other government identity documents issued by the government, as TECRICRINCH said last week.
Apps, such as these gaudd communities, were built oily to share information about their relationships under the guise of personal safety. However, poor coding and safety defects highlight the ongoing privacy risks contained in the need to submit sensitive information to users to use apps and websites.
Such risks are only going to deteriorate; Popular apps and web services are already to follow age-classity laws, which require people to present their identity documents, before they can provide access to adult-themed materials, connected to people’s database of personal information despite privacy and security risks.
When Techcrunch published our story last week, we did not publish specific details of the bugs discovered in Teaonher, incorrectly in favor of caution so that bad actors would not help exploit bug. Instead, we decided to publish a limited disclosure due to the growing popularity of the app and immediate risks when using the app.
As at the time of disclosure, the Teaonher Apple App Store had number 2 in the free app chart, which is still a position organized by the app today.
The flaws we have received have been solved. Techcrunch can now share how we were able to find the license of users within 10 minutes of sending a link to the app to the app store, thanks to the easy to find the flaws in the public-supported backgate system, or APIs.
The developer of the app, Xavier Lampkin, did not respond to several requests for comment after submitting details of security defects, nor would the lamp -affected Toner be committed to informing users or state regulators of safety omissions.
We also asked Lampkin whether any security review was done before the Toner app was launched, but we did not get any reply. (We have more on later disclosure.)
Okay, start the clock.
Teaonher exposed ‘administrator panel’ credentials
Before we also download the app, we first wanted to find out where the Teaonher was hosted on the Internet after seeing its public-dominated infrastructure, such as anything hosted on its website and its domain.
This is usually a good place to start because it helps to understand what other services are connected on the Internet.
To find the domain name, we saw the first (coincidentally) Applisting app on Apple App Store To find the website of the app. This can usually be found in its privacy policy, which should include apps before incorporating the app. (App listing also claims that the developer “does not collect any data from this app,” which is infidelly wrong, so take it as you want.)
Teaonher’s privacy policy was in the form of a published Google Doc, including an email address teaonher.com Domain, but no website.
The website was not public at the time, so with no website loading, we saw the domain-making DNS records, which can help identify what more hosted on the domain, such as email server or web hosting types. We wanted to look for any public sub-domain, which can use to host functionality for the developer app (or host other resources that must not be public), such as administrator dashboard, database, or other web-festing services.
But when we saw the public internet record of Teaonher, it had no meaningful information other than the same subdoman, appserver.teaonher.com,
When we opened this page in our browser, what was loaded was the landing page for Teaonher’s API (for the curious, We uploaded a copy hereAn API only allows things to communicate with each other on the Internet, such as connecting the app to its central database.
It was on this landing page that we found the exposed email address and plaintext password (which) It was not away from “password”) To reach “admin panel” for lampkin account.
The API page has shown that the system used for the document verification system and user management was located on the “Localhost”, which refers to the physical computer running only the server and cannot be directly accessible from the Internet. It is not clear whether any administrator could use credentials to reach the panel, but it was a sufficiently dangerous discovery in itself.
At this point, we were in only two minutes.
Otherwise, the API landing page did not do much except to indicate what the API can do. The page has listed several API andpoints, which the app needs to access to function, such as retriencing user records from Tioner’s database, to leave reviews and send information to users.
With the knowledge of these closing points, it can be easy to interact directly with the API, as we were copying the app. Each API is different, so learning can take time to find out how an API works and how to communicate with someone, such as which endpoints have to use and its language requires the parameters required to speak effectively. Apps such as postman can be helpful to access and interact directly with APIs, but it requires time and some degree testing and error (and patience), when they should not do, spit the API.
But in this case, there was an even more easy way.
Teaonher API allows informal access to user data
This API landing page is included A closing point is called /docsWhich included API’s auto-generated documentation (operated by a product called Swagar UI), which included a complete list of commands that could be done on API.
This documentation page effectively was a master sheet of all the tasks that you can do on the Teaonher API as a regular app user, and more importantly, as the administrator of the app, such as creating new users, verifying the identity documents of users, modeling the comments, and more.
The API documentation also showed the ability to query the Teaonher API and return the user data, which essentially lets us recover data from the backnd server of the app and display it in our browser.
Although it is not uncommon for developers to publish their API documentation, the problem here was that some API requests could be done without any authentication – no password or credentials were required to return information from the Toner Database. In other words, you can run the command on the API to access the private data of users that should not be accessible to the app user, let anyone go alone on the Internet.
All this was documented to see anyone easily and publicly.
For example, Teaonher Identity Verification Currently requested a list of users in queue – no more than pressing a button on the API page, nothing fancy here – will not return dozens of account records on those who recently signed up to Teaonher.
Records returned from the server of the Teaonher included unique identifiers of users within the app (essentially a string of random letters and numbers), their public profile screen name and self-reported age and location as well as their personal email addresses. Records also include web address links, including the license of the users’ driver and photos of the same selfie.
Worse, driver’s licenses, IDs issued by the government, and selfie were stored in the Amazon-Host S3 cloud server, which are publicly accessible to anyone with their web addresses. This public setting allows anyone’s identity to open files from any restriction with any restriction.
With that unique user identifier, we can also use the API page to directly look at the records of individual users, which will return their account data and any of their related identity documents. With uninhabited access to API, a malicious user could scrape a huge amount of user data from the app, much as it was. Tea app to start with,
From bean to cup, it was about 10 minutes, and we had not even logged in the app. Bugs was so easy to find out that we would not get it if no malicious is found.
We asked, but the lampkin would not say whether he has a technical ability, such as a log, to determine if someone used API (or misused) at any time to get access to the verification documents of users, such as scrapping the web address from API.
In the days after our report to Lampkin, the API landing page has been taken down, with its documentation page, and now it only reflects the server position that Toner API is running as “healthy”. At least on cursory tests, API now rely on authentication, and previous calls made using API no longer work.
Web addresses with identity documents uploaded by users are also banned from public view.
Teaonher Developer rejected efforts to disclose flaws
Given that Teaonher had no official website at the time of our findings, Techcrunch contacted the email address listed on privacy policy in an attempt to disclose security flaws.
But email bounced back with an error, stating that the email was not found. We also tried to contact Lampkin through email address on our website, Newvil Media, but our email rose back with the same error message.
Techcrunch LinkedIn reached the lampkin through the message, asked him to provide an email address, where we could send details of the safety flaws. Lampkin responded with a general “support” email address.
When Techcrunch reveals a safety defect, we first arrive to confirm that a person or company is the correct recipient. Otherwise, sending details of a safety bug to the wrong person can pose a risk. Before sharing the specific details of the flaws, we asked the recipient of the “support” email address whether it was the correct address to disclose the safety risk associated with the teaonher user data.
“You must be confused with us with ‘The Tea App’,” Lampkin replied by email. (We did not have.) “We don’t have security violations or data leaks,” he said. (This.) “We have some bots, but we have not done too big in that conversation yet, regret that you were wrong.” (We were not.)
Satisfied that we had established contact with the right person (although not with us not with the response received), Techchchan shared several links to the driver’s license along with safety defects, and a copy of the own data of the lamp to outline the severity of safety issues.
“Thanks to this information. It is very related. We are now going to jump on it,” Lampkin said.
Despite many follow -up emails, we have not heard of lampkin as we have revealed security flaws.
It does not matter whether you have one billionaire vibi coding through one-person software shop or a weekend: developers still have the responsibility of protecting their users’ data. If you cannot keep the private data of your users safe, do not build it to start it.
If you have proof of leaking a popular app or service or exposing information, contact. You can safely contact this reporter through an encrypted message on zackwhittaker.1337 on the signal.
We are always looking to develop, and techcrunch and by providing some insight into our coverage and events in our perspective and response, you can help us! to fill This survey To tell us how we are doing and get a chance to win the award in return!
