There were two online apps that claim to help users date safely by sharing information about abusive or dishonest ex-partners and it has rocketed to the top of Apple's U.S. app store rankings.
However, as it turns out, both apps suffered from serious security flaws that exposed thousands of users' personal data to the internet.
Tea, which became the number one most downloaded app on iPhone in July after going viral, lets women anonymously review men they've dated and bills itself as "the safest place to spill tea".
A few days ago, it was joined at the top of the charts by TeaOnHer, a copycat app that offers to "help men date safe" with "verified reports" about "red flags, safety concerns, and positive experiences".
As of the time of publishing, TeaOnHer was the second most downloaded free app on the U.S. iPhone App Store, while Tea was the third.
Now both apps are facing potential class action lawsuits after hackers and tech journalists discovered that they were spilling a different kind of tea: leaking users' ID documents, selfies, and in some cases emails and private messages.
Tea rapidly took action to close the breach — but not before numerous angry (and seemingly mostly male) internet users gleefully downloaded and shared photos and ID documents from women who had used the app, according to 404 Media.
Meanwhile, one week after TeaOnHer's breach was discovered by TechCrunch, the issue finally appears to have been fixed. But the company behind it has offered no public comment, nor any indication that it has notified users about their drivers’ licenses being leaked.
The company behind TeaOnHer also appears to have little web presence, and questions from The Independent to its only publicly accessible email address resulted in an automated bounceback.
"It turns out that the kind of people who write and launch an app in less than two weeks are not the kind of people who feel the need to implement secure coding practices and strong privacy protections for the sensitive user data they ask you to upload," said Eva Galperin, director of cybersecurity at the privacy-focused Electronic Frontier Foundation, on Bluesky.
The breaches shine a light not only on the dysfunctions of modern dating — and people's hunger for a solution — but also on the ethical quandaries of naming and shaming individual exes online.
Tea was first launched in 2023, apparently inspired by "Are We Dating the Same Guy" Facebook groups, which serve as an informal (and sometimes controversial) whisper networks about shady and abusive behavior. "Founder Sean Cook launched Tea after witnessing his mother’s terrifying experience with online dating — not only being catfished but unknowingly engaging with men who had criminal records," the app's about page reads.
TeaOnHer’s security was very lax. According to TechCrunch, it took less than ten minutes and only "trivial" effort to access driver’s licenses and email addresses, with no password or credentials required.
The app requires all users to submit government ID verification, but its App Store page falsely claims not to collect any data from users.
Apple's rules say that app makers must identify all the data they collect on their App Store page, unless it meets certain exception criteria.
No comments:
Post a Comment