Hustler Words – A recent investigation by hustlerwords.com uncovered a critical security vulnerability in the TeaOnHer app, exposing thousands of users’ driver’s licenses and other sensitive personal information within a mere ten minutes. The app, designed for sharing relationship gossip, ironically became a victim of its own design flaws, highlighting the significant privacy risks associated with apps demanding sensitive user data.
This gated community-style app, similar to other platforms promising relationship transparency under the guise of safety, suffered from severe coding and security oversights. These vulnerabilities underscore the escalating privacy concerns surrounding apps requiring users to submit sensitive information for access, a trend exacerbated by increasing age verification laws for adult content.
hustlerwords.com’s investigation revealed easily exploitable flaws in TeaOnHer’s public-facing API. Within minutes of accessing the app’s App Store listing, we located exposed admin panel credentials and an unauthenticated API endpoint. This endpoint, documented via a publicly accessible Swagger UI, allowed unrestricted access to user data, including driver’s license photos stored on a publicly accessible Amazon S3 server. The unique user identifiers, combined with the API’s functionality, enabled retrieval of comprehensive user records, including private email addresses and identity documents.
Related Post
The app’s developer, Xavier Lampkin, failed to respond to multiple requests for comment regarding the security lapse and the lack of prior security reviews. Initial attempts to contact Lampkin via the email address listed in the app’s privacy policy (a Google Doc) were unsuccessful. Contact was eventually made via LinkedIn, but Lampkin initially dismissed the concerns, claiming no security breach existed. Following the disclosure of specific details and evidence, including links to exposed driver’s licenses, Lampkin acknowledged the issue but has not provided further updates.
Since the hustlerwords.com report, the vulnerable API endpoint and documentation have been removed, and access restrictions have been implemented. However, the incident underscores the critical need for robust security measures in app development, regardless of scale or resources. Developers bear a responsibility to safeguard user data; failing to do so is unacceptable.
Leave a Comment