Español
In a twist of irony, a dating gossip app called TeaOnHer—designed for men to share details about women they claim to have dated—ended up “spilling” something far more serious: thousands of users’ personal identification documents, fully exposed on the open internet.
TeaOnHer, much like the female-focused app “Tea” it aimed to emulate, suffered from major security flaws that allowed anyone to access highly sensitive data. Among the exposed files were photos of government-issued IDs, including driver’s licenses, alongside personal information such as names, ages, locations, and email addresses.
These apps often market themselves as “community safety” platforms, but their poor coding practices and lack of proper security controls demonstrate just how dangerous it can be to require users to upload sensitive documents. The risks are even greater as more apps begin enforcing age-verification laws that demand government ID uploads—creating large, tempting databases for cybercriminals.
From Download Link to Data Exposure in 10 Minutes
When we first received a link to TeaOnHer’s App Store listing, it took less than 10 minutes to find the exposed data—without even creating an account.
The process began by identifying the app’s infrastructure. TeaOnHer’s privacy policy (hosted as a public Google Doc) revealed an email address on the teaonher.com domain, which led us to the subdomain appserver.teaonher.com. Opening this URL exposed the app’s public API landing page—and shockingly, hardcoded admin panel credentials in plain text.
The API documentation, powered by Swagger UI, openly listed every endpoint available to both regular users and administrators. Even worse, some endpoints required no authentication at all, meaning anyone could execute queries to retrieve private user data directly from the backend.
By simply clicking an endpoint, we were able to pull up dozens of user verification records, including direct links to Amazon S3-hosted identity document photos. These files were stored with public access permissions, allowing anyone with the link to download them without restriction.
The Scope of the Leak
The exposed data included:
- Unique user IDs and profile information
- Private email addresses
- Self-reported ages and locations
- High-resolution scans of driver’s licenses and government IDs
- Selfies submitted for identity verification
With such direct API access, a malicious actor could have easily scraped the entire database in minutes, harvesting IDs for identity theft or fraud.
Developer Response
Attempts to responsibly disclose these vulnerabilities to TeaOnHer’s developer, Xavier Lampkin, were met with bounced emails, delayed replies, and initial denial. Even after being provided with clear evidence—including his own personal data—there was no confirmation that users or regulators would be notified.
Since the disclosure, the API documentation has been taken offline, authentication requirements have been implemented, and public access to the S3 bucket has been removed. However, it remains unknown whether any unauthorized access occurred before these fixes.
Lessons Learned
This incident highlights a recurring truth in application security: if you can’t protect sensitive user data, you shouldn’t collect it in the first place. Regardless of whether you’re a solo developer or a large enterprise, storing government-issued IDs demands rigorous security testing, proper access controls, and secure storage practices.
In a world where personal data is one of the most valuable commodities, weak security isn’t just a technical oversight—it’s a breach of user trust.
If you suspect an app or service is leaking personal information, contact us securely. Cybersecurity is everyone’s responsibility, and exposing vulnerabilities can prevent far greater harm.
