TeaOnHer, an app designed for men to share photos and information about women they claim to have dated, ironically exposed the personal data of thousands of its users to the open web. Much like its counterpart, Tea—a dating-gossip app for women—TeaOnHer had significant security flaws that leaked users’ sensitive information, including photos of driver’s licenses and other government-issued IDs.
These apps, marketed as tools for relationship transparency under the guise of safety, instead highlighted the dangers of requiring users to submit sensitive data. Poor coding and weak security measures left personal information vulnerable, a growing concern as more apps comply with age verification laws that demand identity documents.
When TechCrunch investigated, we chose not to disclose specific vulnerabilities to prevent exploitation. However, given the app’s popularity and immediate risks to users, we published a limited disclosure. At the time, TeaOnHer was the second most downloaded free app on the Apple App Store.
The security flaws were shockingly easy to find. Within minutes of receiving an App Store link, we accessed users’ driver’s licenses due to poorly secured backend systems. The app’s API allowed unauthenticated access to private data, exposing user records, email addresses, and identity documents stored in a publicly accessible Amazon cloud server.
Despite repeated attempts to contact TeaOnHer’s developer, Xavier Lampkin, he initially dismissed our concerns, claiming no breach existed. After we provided evidence, including exposed documents, he acknowledged the issue but later stopped responding.
The API’s documentation page, meant for developers, was publicly accessible and revealed commands to retrieve user data without authentication. This flaw could have allowed malicious actors to scrape vast amounts of personal information.
Since our report, the API landing page has been taken down, and the exposed documents are no longer publicly viewable. However, Lampkin refused to confirm whether any unauthorized access occurred before the fix.
Developers, regardless of scale, have a duty to protect user data. If an app cannot safeguard sensitive information, it should not collect it in the first place.
If you have evidence of a popular app exposing user data, you can securely contact the reporter via encrypted messaging.