Tea was storing its users’ sensitive information on Firebase, a Google-owned backend cloud storage and computing service.
Every time. With startups, it’s always an unsecured Firebase or S3 bucket.
I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Obviously there are ways around this too, but it’s not just “use TLS”.
Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
deleted by creator
Honestly it seems like a weapon that can too easily be used for defamation
I mean, yes, but does that take priority over women who are worried about their safety? There’s been women doing this over local Facebook groups for a long time. Defamation of this sort is not a new issue.
Considering even the mere accusation can ruin someone’s life? Yes.
The problem isn’t women don’t deserve to be safe, the problem is we cannot just give people powerful weapons with no oversight or burden of proof to be deployed simply because a date didn’t go well.
Facebook or App, the danger is too great
1
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.
It would be interesting to see something similar that required accusations to be backed up with evidence. Police reports, court proceedings and results, news articles etc.
It would also be a lot safer, legally speaking, for the service provider.
Something like Megan’s law but for domestic violence. I’m still not thrilled with the potential for abuse, but at least it wouldn’t be hearsay.
I’m sure the police unions would object, for obvious reasons.
deleted by creator
I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.
There’s no “matching” on this app, because men aren’t allowed. By its very design, you can’t avoid the unilateral one-sidedness.
Sorry, I do understand that, I was just thinking of an improvement that might help. I thought having the same phone number might work too but that gets dodgier.
deleted by creator
Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.
that’s a great(terrible) idea for a sex trafficking psyop. just get yourself a female spokesperson and make it a platform that gives a voice to women who have survived abuse. they’ll willingly give you all their information on where to find them and their psych profiles on how to manipulate them.
fucked up, but really shows how fucked up apps are in general and how much power we give to them over ourselves.
How many red flags do you need to collect before you get a free cat?
A more ironic outcome couldn’t have happened
Lots of misandrists in this thread framing security failures as sexism against men
It can be both.
So many problems are caused because society assumes cisgender women are always victims and anything that looks like a man if you look at it long enough is an abuser.
It’s just original Facebook but for women to rate and bully men instead of Mark and his scum bros using it to rate and bully women.
We didn’t like it when Mark did it, why would we like it now?
Well, we know what to bait a honeypot with. “Gossip about/slander men right here! To prove you’re a woman, insert your photo ID, bank details, credit card information, finger prints and retinal scans.”
Sounds MAGA level IT and dev.
Lots of men in this thread real upset about this app pointing out how the majority men are shit
Defaming people without giving them a chance to defend themselves, talk about shit people…
It’s not defamation if it’s true
And its legally actionable libel/slander if false.
What are you basing the majority of men are shit on? Confirmation bias?
Oh come on, you know how Those People are
Well im a man. And most men i interact with are casually misandrist, ableist and homophobic. I can’t imagine they behave any better when they’re trying to fuck you
So confirmation bias. Gotcha. That’s generally not a great way to make sweeping generalizations about 50% of the population.
You ever hear that adage about smelling shit wherever you go, maybe check your shoes?
It’s an antisocial surveillance system for antisocial people, and creates a(n even more) antagonistic relationship between men and women.
Dating apps have been a disaster for dating, and this is perhaps the worst among them.
Lots of misandrists in this thread framing security failures as sexism against men
