A Men's Tea App Leaks User Data and Driver's Licenses

The Rise of TeaOnHer and the Security Concerns It Raises

A new app called TeaOnHer has recently gained attention for its unique approach to social networking. Designed specifically for men, it allows users to share photos and information about women they claim to have dated. However, this app has raised significant concerns regarding user privacy and data security, as it has exposed sensitive personal information, including government-issued IDs and selfies.

TeaOnHer was launched on the Apple App Store and is now ranked #2 among Lifestyle apps on iOS. It appears to be a direct response to another popular app called Tea, which enables women to post about the men they date. Tea is marketed as a women’s safety app with over six million users and operates similarly to Facebook groups like “Are we dating the same guy?” Despite its popularity, Tea has faced controversy due to the lack of verification for the claims made by its users.

The backlash against Tea intensified last week when 404 Media reported that 4chan users discovered a publicly exposed database belonging to the app. This database contained over 72,000 images, including thousands of selfies and photo IDs submitted during account verification. A subsequent hack revealed more than one million private messages sent through the app, leading the developers to disable the messaging feature.

TeaOnHer, in its own way, seems to be following the same path as Tea. It copied language from Tea’s App Store description and has also been found to have security flaws. HAWXTECH has identified at least one security vulnerability that allows unauthorized access to user data, including usernames, email addresses, driver's licenses, and selfies uploaded by users. These images are publicly accessible via web addresses, making them easy for anyone with the links to view.

In some instances, HAWXTECH observed lists of posts shared on TeaOnHer that included users' email addresses, display names, and self-reported locations. While HAWXTECH has withheld some details to prevent malicious actors from exploiting the vulnerabilities, the risks associated with using the app remain high.

TeaOnHer was uploaded to the iOS App Store by a developer named Newville Media Corporation. According to LinkedIn, the founder and CEO of this company is Xavier Lampkin. HAWXTECH has identified at least one record associated with Lampkin’s own data, highlighting the potential impact on all users who signed up or shared identity documents with the app.

The app currently has around 53,000 users, according to HAWXTECH. Additionally, a potential second security issue was identified, where an email address and plaintext password belonging to Lampkin were left exposed on the server. These credentials appear to grant access to the app’s “admin” panel. Although HAWXTECH did not use these credentials, they emphasize the dangers of leaving such sensitive information exposed.

Beyond the security issues, the content within TeaOnHer raises further concerns. The app requests IDs and selfies from users to verify their identities, but users can access a “guest” view without signing in. Upon opening this guest view, HAWXTECH observed several images of the same naked woman posted under different names, potentially constituting spam. It remains unclear if this woman gave consent for her photos to be shared. Other posts include photos and names of women, accompanied by derogatory comments.

Despite these troubling aspects, TeaOnHer ranks #17 among free apps, surpassing popular services like Instagram, Netflix, Uber, and Spotify. Meanwhile, Tea remains ranked #2.

As the app continues to gain traction, the need for stronger security measures and ethical considerations becomes increasingly important. Users should be aware of the risks involved and consider the implications of sharing personal information on such platforms.