Last week we reported about some serious leaks in Tea Dating Advice, an app that provides a space for women to exchange information about men they know, have met, or have dated in the past.
The app aims to provide a platform where people can share relevant information about, say, potentially abusive partners. However, it leaked images and private messages, leading to 10 potential class action lawsuits in federal and state courts for negligent data practices.
Now it has been revealed that the male equivalent, TeaOnHer, has exposed users’ personal information as well, including government IDs and selfies.
TeaOnHer, which ranks high in the Lifestyle apps category for iOS, allows men to share photos and information about women they have dated. It appears to have been designed with a sense of vengeance against the Tea Dating Advice app: It uses similar language in the App Store description, and as it turns out, it’s just as leaky.
TechCrunch reports it found at least one vulnerability that allows any user access to other users’ email addresses, driver’s licenses, self-reported location, and selfies. Perhaps most distressingly, the news outlet also discovered that guest users could view explicit images of women, likely shared without consent.
TechCrunch also found an email address and password of the app’s creator. Although it didn’t test that hypothesis for legal reasons, it seems likely using those credentials might provide access to the administrator panel of the app.
It is disappointing that apps made for sharing private information and ranked so high in the App Store apparently have such a poor security standard.
TeaOnHer’s creator did not respond to emails from TechCrunch asking where to report the flaws, so TechCrunch only shared the fact that the flaws exist without going into much detail. This is commendable given the sensitivity of the shared data.
Protecting yourself after a data breach
While there are no indications that anyone else has accessed this data, it is an option we can’t ignore. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.
Source link
