Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
Reading these incredible comments has revealed a large piece of what was named as the reason for lemm.ee shutting down.
what was that?
Moderation.
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.
The term has had so many definitions its not really meaningful.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let’s say the subnet was 192.168.2.0/24.
Weird things were happening, I was being lazy and wasn’t directly connected to the network, may have setup a VPN between devices somewhere; can’t really remember. But pings would sometimes drop or blow out to 100’s ms.
I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn’t have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.
Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I’m from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.
It was an interesting day.
Uh… you can’t just “expose a LAN network to the Internet” in this manner. Local subnets aren’t routable over the Internet, so you can’t just enter 192.168.2.3 and end up on somebody else’s private LAN.
https://www.geeksforgeeks.org/computer-networks/non-routable-address-space/
They would have needed to either have all their internal devices being assigned public IP’s or had NAT+firewall rules explicitly routing ports from their outside address(es) to the inside ones. The former is unlikely as normally ISPs don’t allocate that many to a given client, or at least not by DHCP. the latter would require a specific configuration mapping the outside addresses/ports to inside devices, likely on a per device+port basis.
Either your story is missing key details or you’ve misunderstood/made-up something.
The storage facility concept is kinda close, if you count it as “a storage facility beside a major intersection in a big facility, with the locker doors left open despite meant the warning at the front desk not to do so”
Never upload PII to social media
Your privacy is not legally protected.
This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified
Truly impressive how little america cares about its citizens.
There should be a time limit on all data.
The replies in this thread are disturbing, giving me a sense that Lemmy has a misogyny problem; maybe I was naïve, but I expected outrage about 4chan doxxing women trying to protect one another, instead I see lots of revenge enjoyment as if being doxxed on 4chan is justice for … <checks notes> warning one another about dangerous men they encounter when dating?
The inability to empathize and take seriously the threats posed to women or to understand their motivation to protect one another is alarming.
There is no good faith extended, but also no evidence presented that instead of safety the app was just for gossip, it’s just taken as assumed that women are wrong for using Tea and they all deserve to be doxxed.
Apparently the platform operated as some sort of gossipping/reporting system where unaware men and guys could be posted, so they could basicallly do the same thing that happened to them, all on one if the most unsafe system possible.
Honestly I see this as a consequence of their own actions mostly the database was unprotected. Their purpose was to document men behind their back. Turns out it backfired.
Lemmy is full of people with a lot of technical knowledge, who look down on anyone without it. Just look at their responses to someone complaining and an issue on Windows, it’s just a hundred people telling you what Linux distro they use.
It’s not so much mysogyny, they just can’t pass up the opportunity to be smug about something.
It isn’t the women who are wrong; it’s the app developer and 4chan. But setting aside the data breach, creating a Yelp for dating is a ticking time bomb. They were going to get sued out the ass, data breach or no data breach. I don’t know how many times this needs to happen, but I guess web developers have the memory of goldfish. There have been several attempts at something similar that got shut down for the obvious reasons. Making a website that rates human beings is always going to be a legal minefield.
Don’t trust dating apps ever. Literally better off dating someone you meet at a park.
Less chance an algorithm set you up to fail.
How is this relevant to anything I said? We aren’t even talking about a dating app here.
I understand what you’re saying but dating apps exist because there are so many people who have no access to third places like that and don’t get to meet anyone.
Partly that’s down to covid killing a bunch of stuff but it was on the decline before then anyway. Businesses were shutting down and becoming online only, town centres are emptying out, full of nothing but shuttered businesses with nothing to replace them. And of course now everyone is working from home.
There was less and less everyday opportunity to meet people. Even if I go outside if other people don’t then I’m just wandering around by myself.
Well lets be honest if someone made a gender inverse version ofctea many people would b concerned about what is being shared on the app. Honestly i find tesla disturbing and the 4 chan doxing dangerous. Both sides can be bad.
Those already exist. 4chan (yes, they even kind of invented cancel culture with going after “whores” in the late 2000’s), kiwifarms, various manosphere forums, Andrew Tate’s Discord server, etc.
Yeah amd those sites are not herald had a safety tool for men. They are seen vile pos.
sorry, are men concerned for their safety dating women such that a gender inverted version of this app makes sense? Your ignorance is what I’m talking about here …
The need for it was not part of my point. The point was a gender flipped app would of course cause some outrage. Immediately there would be people cry “it’s just for doxxing, stalking and revenge porn”.
But to engage in some good Faith dialoige. Are some men concerned for their safety, yes.
The Tea app is agnostic. While its purpose and main use case was made for the safety of women in the dating scene, it was inevitably used to spread exaggerated or misleading information about otherwise innocent men. Imagine being a privacy-conscious individual, and breaking up with a toxic woman. She could go on to spread lies about you and even upload pictures of you to the reverse image search/ai. So even if you were doing everything right from a privacy standpoint, you’d still end up in someone’s private database, subjected to ai training, shared with the government, or who knows what. While I do see the purpose of apps like these, they can effectively take away someone’s privacy/dignity without them even knowing about it. Now imagine being a 4channer, someone probably even more privacy-conscious than lemmings, and possibly experiencing mental disorders like paranoid schizophrenia or autism; of course they’re drawn to hacking an app that would destroy their privacy. They are not sane individuals, so this event really was inevitable.
Look at the screenshot in the article. That’s what their website looks like, it absolutely looks like it’s focusing on gossiping rather than women’s safety on dates.
I think you are misunderstanding why people are upset.
It’s horrible that these women were doxxed.
It’s also horrible that a subset of women were doxxing men, which is what brought this negative attention to the site.
Misogyny is real in our society, misandry is real.
Saying things happen for sexist reasons when it was for a logical reason does a disservice to movements that seek equality.
The internet also cheered on the 4chan PII leak that happened recently, not becauase it’s a male dominant space, but because they do shitty things like dox people.
I’m all for groups of safe spaces for women. Especially when it’s designed to keep them safe while dating. I have my doubts that Tea was that. Even if it was advertised as such, “tea” is slang for the word gossip. I’ve heard stories from several sources that it was used to dox people as well. Not saying what happened to the users is right. I think some users here are just feeling smug that this might cause the app to fail or shut down.
Yeah, naming it “Tea” is really the cherry on top. I’d love to know more about the people behind this. It’s hard to believe that anybody would be this oblivious. I guess the same kind of people who wouldn’t secure their database.
The app enables the photos to be run through a reverse image search, enabling them to run a basic background check, check against public sex offender databases, and check for photos that might get flagged as being used in “catfishing” — misrepresenting one’s identity online.
The app also features a “Tea Party Group Chat,” which allows users to directly share information about men, and has a rating function, which allows users to share their experiences with Yelp-style reviews, awarding men a “green flag” or a “red flag.”
https://www.cnn.com/2025/07/25/us/tea-app-dating-privacy-cec
It’s a bit like Rate My Professor, but for dating.
Honestly I cyncially expect this kind of app might inevitably exist for rating people of all genders (or that dating apps might incorporate this Uber-style rating system), but the reason this app exists has directly to do with the violence women face from intimate partners.
The point is that men who are enjoying the doxxing of women who have used this app are ignoring the context, or even have a warped sense of the context, as if this is narrowly about (legitimate) privacy concerns and the harms caused by the app.
Even if the concerns about the app are justified, the revenge enjoyment betrays a view much harder to defend, that all the women who used the app are equally cupable, or that doxxing women using the app is equivalent to women doxxing abusive men through the app.
Men are not all equally privileged, but there is a broad inequality both to how violence is distributed and how that plays out in dating situations. Women are not wrong to fear men. One in three women have experienced sexual or physical violence, most of that violence being perpetuated by men.
Since this is the context for the use of this app, it’s not neutral to doxx its users or to claim it’s fair because men feel (legitimate) concerns about the app’s privacy violations.
I agree 100% that women face many more dangers especially in the dating scene than men. I’m all for having resources available for them to remain as safe as possible.
I don’t see how a Rate My Professor type app would work well for dates. I feel like people would only spend the time to rate poor dates. If you had a really good date with someone, you would presumably start dating them so why would you let everyone else know they are a good person to go out with? I have no doubt there are some awful people out there that others should be warned about, but this type of app is a bit too risky to justify that in my opinion.
The background check feature sounds much more legit, but I don’t think a group chat feature needs to exist along side it.
All that being said, anyone enjoying the doxxing of others is just an asshole. There’s definitely nothing fair about it from either side.
Sure does sound pretty toxic.
yeah, the app has obvious flaws, and the Rate My Professor style approach succeeds or fails depending on the quality of the users and moderators, and could easily be useless or become toxic - either way, I’m not defending this aspect of the app, it’s clearly problematic.
Regardless I understand why women would want a resource like this, and that doesn’t seem true for those in the comments who see the doxxing as deserved for using this app.
Nevermind the rest of the context, like 4chan being a bastion of right-wing, misogynist trolls who would target an app like this for political reasons.
Lemmy users approving 4chan doxxing women is a major red flag … it might have something to do with how many Lemmy users come here due to being banned for their behavior on Reddit. Reddit isn’t sending their best and brightest, and it shows. (This is just my speculation, though.)
There is absolutely no problem checking out a perspective date for criminal records or if they’re on the sex offenders register. But they don’t need an app to do that they can just reverse image search on Google themselves.
The app added that to give legitimacy to its gossip feature. If lots of women have been on a date with the same guy and all have a story to tell that story is going to get told regardless of whether there’s an app enabling it or not.
Men not being able to even view the content on the platform and see if anybody is posting about them is an inherent problem with the fundamental design of the app.
Could you share said sources? It’s irrelevant though because justifying this doxxing SHOULD mean that the entirety of 4chan is a justifiable dox target. If you don’t believe that, then you should be against it happening against Tea users. They’re at the very least guilty of the same thing (in this case. 4chan is guilty of much more heinous things than just this).
I 100% agree that it isn’t relevant to the doxxing. I dont think the doxxing is warranted at all from either side. Most of what I saw about the app is just from various social media users as well as the Google PlayStore reviews. Personally I find it hard to believe the app wasn’t made with the purpose to dox people just based on the name alone. The ads make it seem like a safespace for women and if that’s all it was meant to be then it for sure had a very unfortunate name.
What does the name have to do with doxing? I know “tea” is slang for “gossip”, but gossip ain’t doxing.
A group of people with the intention of privately sharing details of people in order to track their behavior is definitely going to lead to doxxing. Maybe I’m getting the wrong idea, but it sounds like they are sharing the names of people they went on dates with. I assume that would include the city or town the date occurred which would infer where abouts they live. Given enough “reviews” of a single person I’m sure there would be sufficient info to call it doxxing.
Your comment was on top for me in my app, so I was like “oh how bad could it be.”. Holy shit you’re not wrong, there’s some disgusting comments that are getting voted up.
I’m low-key disappointed and appalled by these community members who believe these women “deserve” it for … Trying to help each other be safer?
saw this happening here, saw it happening in reddit threads on the topic, saw it all over the media cycle in the comments.
i agree, people’s visceral backlash against this app is steeped in a deep misogyny. most of these comments have a vapid absence of any sort of even basic recognition towards these women as people. talking about them like they’re abstract figures or test subjects up in here.
watching people take somewhat valid privacy concerns as an excuse to let loose their most toxic feelings towards women used to be the sort of thing only losers or emboldened megalomaniacs did in public, even just a decade ago.
in the past years i’ve just seen all my peers, regardless of political affiliation, manipulated into a cult of outrage that serves as another hamster wheel upon which capital may spin.
imtiredboss.png
Tea could easily be used for two extremely different purposes:
- Legitimate use to inform and protect women from abusive men
- Illegitimate use to spread misinformation (libel!) about men with no verification of truth or reasonable appeal process
The idea of Tea isn’t bad-- I’ve thought about the potential utility of similar apps myself-- but most people who are reacting badly are recognizing that it’s a nearly impossible moderation problem that will be used for bad things too.
of course, the app has obvious problems, but I don’t see that as justifying the gloating and sense of revenge enjoyment happening.
Instead I see a kind of discontent about women I find concerning, which seems ignorant of the widespread violence women experience or what it’s like for women who take risks when dating men.
Men are not all equally problematic or privileged, but they are generally in a position of power relative to women and are acting like the victims here.
They should direct their discontent to patriarchy which creates the situation where violence against women is dismissed or accepted, and which motivates women to use apps to check if the person they are dating has a history of violent behavior.
Patriarchy which perpetuates the narrative that men are natural predators and women natural prey is what victimizes men here, not the women who rightfully fear and feel victimized by the minority of men who are violent.
Pfft. They actually need a better half instead of being anti-social AI users.
They should care about nothing, and expect nothing.
That way, no entitlement, and no disappointment.
Why is everything we do, when we band together, seen as suspect and dangerous?
It’s suspect and dangerous due to its design, not the fact that it’s used by women. If there were an app where employers could rate their employees, it would have the same problems and I’d feel the same way about it.
Don’t look up something called, and I’m not remembering it perfectly, ‘the number,’ in the US, anyway.
This is a safety feature of women social groups for time immemorial. It’s a piece of how we survived prior to the last 50 years, and it continued as we moved forward into the era of liberation. We talk to each other.
I realize the “guy code” is one of silence. Cheating? Bros won’t say anything or warn anyone, by this code. In fact, the opposite is demanded by that code. Woman do the opposite, that is how the woman code works. I’ve witnessed fallout in friend groups when these diametrically opposed codes meet on regards to another friend. Apparently, having lunch with the cheated on woman and letting her know what is happening is applauded by women and enraging to men.
The piece regarding cheating is about integrity and treating people right in addition to safety. The rest of it is usually just about safety.
We survived millennia between being treated like prized horses. uteruses/vaginas with life support systems attached, and animals to be beaten, by talking to each other. Warning each other. Helping each other, where able.
The anger here, from you, is 100% expected, but the ordinary nature of that anger doesn’t make women wrong for exposing safety concerns in the dating pool. Given the myriad of diseases, including the incredible comeback of syphilis the last couple years, cheating is also a safety concern. Cheating should be exposed, always.
Okay so you’re now mad about some perceived social convention that you think all men follow. Ironic.
If one of my friends was cheating on his girlfriend and I knew I would definitely tell her, why wouldn’t I? Of course, the likelihood is that if they were the type to cheat on their girlfriend they’re probably not the sort of person I’d be hanging out within the first place.
So you’re now self-selecting for obnoxious people who think that women are just trophies. But that’s not “guy code” that’s just crap people, and there are absolutely women who will cheat on men and their friends will cover it up and say things like “ooh what happens in Ibiza/Vegas”.
Cheating? Bros won’t say anything or warn anyone,
Been cheated on by 3 different women. Guess how many of their friends told me what was happening. 0. So does that mean that her friends actually identified as men, or that you’re biased and actually this isn’t a “men” thing? Not one of them “had lunch” with me, so they must not have been women.
I’ve literally been cheated on by 3 different women and never cheated on anyone myself. The one time I was the 3rd party, the woman lied and said her and her BF had broken up, but they hadn’t. As such I’m absolutely sick of this whole “men cheat and women are perfect creatures who are perpetual victims” shit. Women cheat too.
Where’s my “cheating cunts” app to post pics and shit talk them, that also includes “pro” features such as address and phone number? Turnabout is fair play, wdym “that’s bad” when it’s women but tea is fine?
I realize the “guy code” is one of silence. Cheating? Bros won’t say anything or warn anyone, by this code. In fact, the opposite is demanded by that code. Woman do the opposite, that is how the woman code works.
I was not aware of this! I’ll have to consult my bro handbook.
The anger here, from you, is 100% expected, but the ordinary nature of that anger doesn’t make women wrong for exposing safety concerns in the dating pool.
What anger I have is directed towards the shitty website that didn’t protect their users’ very private data, and I assume that’s where yours is, too. (And, of course, 4chan, but fuck 4chan all day, every day.)
I don’t know anything about your “guy code”. I don’t view other men as my allies just because we share a gender, and I don’t view women as adversaries just because they have a different gender. I try to treat everybody the same regardless of gender. I’m not perfect, of course, since I grew up in the same fucked-up patriarchy as everybody else, but I do my best.
You seem to have very black-and-white thinking.
Cheating should be exposed, always.
I’m actually neutral on this statement. I haven’t had this experience, but if I knew that a friend was being cheated on, I think that the appropriate thing to do would be to inform them. If both the cheater and the cheatee were my friends, that would make things harder, and I would have a dilemma. If my friend is the cheater and I’m not friends with the cheatee, then I’m minding my own business. Again, though, I haven’t had this experience, so it’s hard to say what I would do for sure.
I’ve been seeing a lot of misogony here the past week or so. It’s disheartening.
I wonder what that is about?
And even if it was purely a gossip app, an eye for an eye leaves the whole world blind.
“gossip” is for safety. It’s often information that men don’t want shared so it’s painted like it’s bad. Claiming women shouldn’t gossip is just more misogyny.
There is some of that happening, like when women get together and discuss how they’re being treated it’s “gossip” and implied as immoral.
I think some men might read what you’ve said and think you are denying any toxic gossip exists, it’s important to have nuance and not alienate men who otherwise would be allies, but I think overall your point is well taken.
Say a woman breaks up with a man for petty reasons, like the guy switching the channel on TV, or even the other way around.
And she decides to make up reprehensible shit about him on that app.
He essentialy becomes undatable, and he does not know why.
This comment is one hour old, let’s give you my SS and CC info
??
Hungry data privacy lawyers when they learned about Tea this week:
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
I had been under the impression that 4chan had also basically died due to their own site getting hacked
It’s not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.
That which has no life can never truly die (or something)
That is not dead which can eternal lie, and in strange eons even death may die.
I think?
the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it’s back to business as usual
most of the admins were revealed to have .gov emails
I remember reading that this was something someone just made up and was spread a bunch, but wasn’t true at all.
Oh my god that’s… So stupid, i hate this time line.
Dirty water that would behave no different if you sifted out the proteins.
People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.
I think it depends on people’s intent and purpose for using this service. I’m overall not a fan of someone taking and sharing pictures of me without my consent, or making claims that can’t be defended…
The group of women legitimately using it for safety is fine, in a general sense.
The group of women using it as gossip and entertainment is not.
Considering that “tea” is common slang for gossip I’m not convinced there was many of the
latterformer.Given that the app name is slang for gossip, you’re not convinced there were many women using it for gossip?
Thanks I fixed it
It makes sense using it for safety, but I would worry about whether all the information on there is accurate. Most of the feedback on the app is probably negative, I doubt anyone would really post anything on Tea that’s positive about their former partner. But people like to believe they are in the right. Someone who got in a fight with their partner might post something on Tea that isn’t accurate, but makes them feel better since they can spin the story how they want, and make the other person at fault. However, unlike regular social media, the person being attacked by their partner on Tea has no idea that it happened, and no way to refute what was said. It promotes the opposite of any type of communication between partners after a fight or breakup. It promotes safety, but at the same time it promotes some toxicity in relationships. What would you think if you knew that if your got into a disagreement with your partner that you could end up posted on this app, without any way of arguing back?
At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.
Nope. That’s the app. “Anonymous” sharing of pictures and info of other people. Presumably without their permission. That’s fucked up.
Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.
On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven’t done anything wrong - just the whole concept feels very gross.
That’s terrible.
Have an upvote.
Especially because the app is called “tea”, like the slang term for gossip. The letter of the intention may have been good but the whole thing is toxic.
My problem is how it’s implemented.
An app where you simply post a name and a location, and then people can DM you with their experiences directly, would be a lot less invasive.
You could ask someone you know to register and share the login, it’s a flawed concept. There’s probably a bunch of partners in there who didn’t even know their boyfriend used their info to create an account to check on themselves.
Removed by mod
as a woman or woman categorized person
Can’t tell if you’re being transphobic to trans femmes or supportive to femme leaning enbies.
Well im talking about external interpretation of ones identity rather than one’s intended expression, so you figure it out. Or don’t.
I’d say that’s supportive of femme leaning enbies rather than transphobic towards trans women.
There are other things it could be. Interperet as you like.
…
k
Bruh
I kniw right? Its pretty fucked, but sometimes belief that people, or even men, are mostly good gets you raped or crawling through a puddle of your own blood with fewer than four functioning limbs.
Cynical bitches like me though; we tend to make it out.
Maybe I’m just getting old, but the idea of “verifying” my real identity to a faceless website or mobile app is abhorrent.
I guess it doesn’t help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.
Can’t help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.
California, Utah, Texas all have laws now requiring age verification to use an app store
I’d be interested to know how that works with F-Droid or Aurora.
If you think that’s the same thing, you don’t understand at least on of those things, but safe money is both…
What if they take people’s biometric aka fingerprint and to view nsfw stuff you goota use the biometric and I am not talking about passkey
How does having my fingerprint prove my age.
The issue is, at some point, they have to connect your “digital you” to your self as a real person, after that they can track you, keep tabs on you. If that data was ever stolen, or a corrupt government rose to power, you’re really screwed.
Yeah. If it did.
What if they fucked right off and left parenting what kids do on their devices to their parents?
This is what happens when you decide to vibecode a service with zero attention to safety or web development. This is why you don’t immediately jump onto a new service without it being vetted properly. Now one of the worst communities on the Internet is in possession of over a hundred thousand women’s driving licenses and faces. This is going to be an absolute disaster.
Anybody oblivious enough to create something like this isn’t someone you should trust your most private data with. This service had red flags from the concept phase, never mind the execution.
This is not to say, of course, that the victims deserved it. It just really sucks that they had to learn this lesson this way.
This is ALSO why no service should ever require or get my driver’s license information. Fuck that. Also, yet another Constance to those who can’t afford a car or want to improve the environment by living car free.
Instead, just prove you have a credit card by submitting the details. Also totally safe. Be sure to include the CVV, please!
The only site I ever felt comfortable scanning shit like that into was a site that sold things only to military/medics/fire fighters so I had to upload my medic license and my FF cert.
Anything beyond that is a no go from me.
My only exception to that are uber drivers. But then again we live in an age where somehow better help has become popular, even though they sell your data.
I disagree on even that. It should be enough to have some trusted “notary” tick a box that they have verified your driver’s license as valid. It should not be stored out sent anywhere at any time. Just showed to a human. Regularly, if needed.
Now now, I like to shit on vibecoders too but let’s not pretend this is some new problem.
Idiots leave databases on cloud servers exposed all the time rather than deal with their companies often arcane rules for generating certificates
Remember when the government published SSNs in HTML? https://www.zdnet.com/article/missouri-will-not-prosecute-hacker-reporter-for-daring-to-view-state-website-html/
Where do you think the AI learned it?
Like, I get that competent coders do it too, but now any skiddie with an idea can cosplay as a developer so this is going to be so much more prevelant
That’s not new, either.
To be fair, I’m not sure why firebase even has a public access option. That’s a recipe for issues.
Though if it’s anything like Google Cloud Store, they hopefully make it very clear that your bucket is public.
How is something “vetted properly” and how do I find out about that?
This is something I worry about all the time as well, especially since I’ve started to learn how to code and experienced how easy it is to mess up and send a list with all registered users to everyone opening a page. (This was in a test environment.)
As a user, there is no proper way I know of to verify an app’s security. Most apps are closed source, but even if you could view the code, what would you look for?
Both Apple and Google have a verification process for apps that are published in their app stores, but if these worked, we wouldn’t see this happening.
There are academic researchers working on apps and privacy as well, but it’s not like you can ask them for a report on an app you’re thinking of installing.
I think it basically comes down to trust. Check if a developer has messed up in the past and how they dealt with that, that sort of stuff. And for dating apps there is this interesting article: https://www.privacyguides.org/articles/2025/06/24/queer-dating-apps-beware-who-you-trust/#reducing-the-risks-when-using-dating-apps
It’s a long read (haven’t fully read it myself yet) and it paints a bleak picture, but that’s the world we live in today.
You can pay for a 3rd party to penetration test your app, it’s good practice to do this before you launch an app, after any significant changes, and annually at a minimum.
There are also a growing number of companies offering continuous penetration testing - basically, automated pen tests - but these are expensive and it’s difficult to convince companies that the cost is worth it
You wait a while until something like this happens.
I honestly don’t understand what op is talking about.
Leaks happen all the time, even in billion dollar companies.
Their comment is the equivalent like, “This is why you should lock your doors!” Like uh okay.
This was more like leaving all your valuables in a cardboard box on your front lawn. Anyone can just take it, if they care to look inside the complete unsecured box.
Someone just drove up and tossed the box in their truck. No lock involved.
This situation would have been easily preventable with basic understanding of what they’re doing is what OP is saying. This leak is not something highly complex, it is painfully stupid on the side of the developers.
There’s a difference between a hack, where data is exposed, compared to data exposure due to negligence or ignorance on the development side.
Again, how should the end use know anything about what is going on at their end? How does anyone “vett” that? It is a nonsense “argument” to put blame on the users.
Where I’m from there’s certificates a company can get, that confirm a certain level of process and IT security. Also a company existing for at least 5-10 years without incidents is a “vetted” company in my books. At least anything that managed to produce a working IT system before 2021 when AI came around.
I also believe there’s a bit of bad wording going on with the original comment. Take it up with that guy, lol.
I love how people just jump on whatever they like, instead of actually thinking about the stuff they read/comment on/upvote. Exactly like on Reddit, no difference.
How strange that a site designed exactly like reddit behaves like reddit.
The thing is that many here think they are better, they look down on Reddit. There is a certain shift in what demographic switched over but generally it is the same.
I thought they were looking down on the owners of reddit, not the user base.
“Vibe coded” you just made that up didn’t you, because you don’t like llms. I don’t see anything in the article about “Ai” and this service has been operating for 2 years.
The og 4chan post brought up the vibe coding. Using it as an insult to quality is wider spread than just lemmy.
My thoughts as well. But hey, it’s lemmy! Just accuse someone of doing something we hate, good to go!
Maybe I shouldn’t have used the term vibe coded. I apologize.
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
EDIT: Also, lol, this arguably is not even largely a hack.
These idiots just had everything stored in a fucking publically accesible firebase bucket… amazing.
They didn’t delete anything they claimed to.
Either way you look at it, anywhere on the spectrum from:
A ] A bunch of women reasonably concerned for their safety
B ] A bunch of gossip mongers
… well, they’ve now all been doxxed, ironic from each angle.
What a fucking disaster.
if that’s truly how the leak happened then these people, in any reasonable jurisdiction, would be considered criminally negligent, at the least.
yay compsci ethics courses :D
boo courts failing to uphold the law >:(
Hooray two tiered legal system, huzzah!
/s/s/s
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
This is more like the door was left open and the lights were on, and you took pictures of the artwork on the entryway walls and then left.
At which step should it turn illegal? You accessing publicly available website? How exactly are you to know if it is supposed to be public or not, if there is not even an attempt at security?
The thing is we don’t need to come up with some absolute definition of what should and shouldn’t be illegal to talk about this case specifically. They didn’t accidentally stumble on this. They doxxed the users instead of responsibly disclosing the problem. This is extremely cut and dry.
If the story here was “I mistyped something and got to a page I shouldn’t have access to, I disclosed it to the company, didn’t dox anyone by sharing the problem, and now the FBI is after me” it would be different.
They were looking through publicly accessible buckets on firebase. They literally did stumble upon this by accident while going through public data. And then just told other people about what they found. Should they have disclosed it once they realized what it was instead of spreading it? Sure, morally speaking. But I don’t see how you could write a law to make this illegal without just trampling on free speech.
And then just told other people about what they found.
That’s a weird way to say they doxxed people instead of ethically disclosing what they found. Hiding that detail is why I have a problem with defending this.
If someone steals something they didn’t know belonged to someone (say through an unlocked door), should we prosecute them? I don’t know. What did they do next after they found out they shouldn’t be there? Did they give it back and tell the building owners “hey, you have an unlocked door” or did they yell to the street “hey everyone, come get free stuff!” How did they behave once they knew they did something wrong.
From what I have seen, they initial guys shared a link to the database, not any content. The equivalent of telling people: “Look at this unlocked door I found.” They did not “steal” anything as far as I know.
Also, the analogy doesn’t work either. What if it really was intended to be public? Making a copy is not analogous to stealing something, it’s analogous to taking a picture.
PS: Maybe to make it clearer what I am thinking of. A real court case that happened: A person found a bunch of documents on a government website, just sitting there. He decided to share them. Turns out they were not supposed to be public. The government tried to prosecute the guy who had no idea the files were not public. They thankfully lost.
How can it be the responsibility of a person to try to figure out if these files are supposed to be public or are public on accident? Yes, these guys had a good guess that this was an accident, but so what. We don’t prosecute people for having good guesses.
Damn, do you think this link I found that has a ton of women’s drivers licenses is supposed to be public? Better share it to 4chan. They’ll know what to do.
No sympathy from me whatsoever. The app was designed to allow these women to anonymously post personal information about other people. Fuck 'em. Turnabout is fair play. As my kindergarten teacher used to say, “you get what you get and you don’t pitch a fit”.
If by “personal information” you mean sharing their experiences with certain people … Yeah I guess.
They weren’t sharing addresses and social security numbers or drivers license numbers or other things that would lead to identity theft.
How can you not have sympathy for these women getting doxxed because they wanted to help create a safer space for one another and to help each other out? That’s wild.
This is far from turnabout, this is abuse.
No, we mean “sharing what they claim is their experience and details of such”
Maybe they weren’t sharing addresses and SSN’s (though what’s stopping them from doing so), but like anything online it’s certainly not hard to make up, spin, or highly exaggerate a story to the detriment of the subject, but without them knowing about it.
So yeah, even if Sally Smith claims that “**Billy Jones of 125 South Street is a big loser who has undisclosed herpes, which who knows how he got it with that small dick of his”, maybe the truth is that Billy refused to pay for an expensive meal on a first date it some other thing entirely.
This isn’t turnabout (as the leak wasn’t intentional), and not abuse either, but it may be a bit karmic.
** Names and story entirely made up for example purposes
So it’s fair because you completely made up a story about what happened in the app?
How dare they warn other women about rapists.
Plus the whole moral aspect of such an app. While I agree that women have been mostly objectified their whole existence, this doesn’t help anyone.
We need to get rid of both superficial way of looking at each other ( women: seeking mostly young, beautiful, rich yes men, men: seeking perfect body, face, housewife stereotypes). Both mindsets are equally trash.
Agreed
Real
I would not under any circumstances give my drivers license to a for profit app. I don’t even like to give my email.
apparently there’s some law in the UK that mandates it now 🙄
Well UK, have the day you voted for I guess
Unfortunately this is the better of the two main parties. This isn’t republicans winning because dems didn’t vote. Labour won, and this still went through. The UK government as a whole has been on an anti porn brigade for decades. I can’t wait for the day labour and the Tories just die off.
Technically the act passed in 2023 under the Sunak government.
That said; I can’t seem to find a vote breakdown and I would not be at all surprised if labour also backed it.
I’m hoping enough public dissatisfaction leads to labour repealing it but I won’t hold my breath.
I’d like to blame the voting system for the lack of meaningful voting options.
Ed Davey, I can’t imagine Bad Enoch doing anything and Labour were the ones to implement this.
The next PM of this country will be the one who promises to bring back all the porn.
Also California
Thank fuck for VPNs, although it now wants to show me hot milfs in Brussels.
Something something Vegemite sandwich
And many republican US states.
