TechCrunch reports that TeaOnHer a men-only alternative to the women-only dating safety app Tea that has immediately gained popularity on the Apple App Store had its users' data leaked within 10 minutes of app link delivery due to vulnerabilities in its API.
Opening the 'appserver[.]teaonher[.]com' subdomain discovered in TeaOnHer's public internet records revealed the app API's landing page, which included TeaOnHer developer Xavier Lampkin's email address and plaintext password that was later used to breach the app's admin panel, according to TechCrunch researchers. Multiple endpoints have been detailed in the landing page, such as '/docs', which has auto-generated documentation describing all performable actions on the app's API, while enabling the retrieval of user data from the backend server, including names, ages, locations, government-issued IDs, driver's licenses, and selfies. All of the security issues have been addressed, with the API landing and documentation pages already taken down. However, Lampkin was noted to have initially dismissed the reported API bugs.
Opening the 'appserver[.]teaonher[.]com' subdomain discovered in TeaOnHer's public internet records revealed the app API's landing page, which included TeaOnHer developer Xavier Lampkin's email address and plaintext password that was later used to breach the app's admin panel, according to TechCrunch researchers. Multiple endpoints have been detailed in the landing page, such as '/docs', which has auto-generated documentation describing all performable actions on the app's API, while enabling the retrieval of user data from the backend server, including names, ages, locations, government-issued IDs, driver's licenses, and selfies. All of the security issues have been addressed, with the API landing and documentation pages already taken down. However, Lampkin was noted to have initially dismissed the reported API bugs.