How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes
TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents, as TechCrunch reported last week.
These gated community-like apps were created ostensibly to let users share information about their relationships under the guise of personal safety. However, shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites.
Such risks are only going to worsen; popular apps and web services are already having to comply with age verification laws that require people to submit their identity documents before they can be granted access to adult-themed content, despite the privacy and security risks associated with storing databases of people's personal information.
When TechCrunch published our story last week, we did not publish specific details of the bugs we discovered in TeaOnHer, erring on the side of caution so as to not help bad actors exploit the bug. Instead, we decided to publish a limited disclosure, because of the app's rising popularity and the immediate risks that users faced when using the app.
As of the time of disclosure, TeaOnHer was #2 in the free app charts on the Apple App Store, a position still held by the app today.
The flaws we found appear to be resolved. TechCrunch can now share how we were able to find users' driver's licenses within 10 minutes of being sent a link to the app in the App Store, thanks to easy to find flaws in the app's public-facing backend system, or API.
The app's developer, Xavier Lampkin, did not respond to multiple requests for comment after we submitted details of the security flaws, nor would Lampkin commit to notifying affected TeaOnHer users or state regulators of the security lapse.
We also asked Lampkin if any security reviews were carried out before the TeaOnHer app was launched, but we got no reply. (We have more on disclosure later on.)
Alright, start the clock.
TeaOnHer exposed 'admin panel' credentials
Before we even downloaded the app, we first wanted to find out where TeaOnHer was hosted on the internet by looking at its public-facing infrastructure, such as its website and anything hosted on its domain.
This is usually a good place to start as it helps understand what other services the domain is connected to on the internet.
To find the domain name, we first looked (by chance) at the app's listing on the Apple App Store to find the app's website. This can usually be found in its privacy policy, which apps must include before Apple will list them. (The app listing also claims the developer 'does not collect any data from this app,' which is demonstrably false, so take that as you will.)
TeaOnHer's privacy policy was in the form of a published Google Doc, which included an email address with a teaonher.com domain, but no website.
The website wasn't public at the time, so with no website loading, we looked at the domain's public-facing DNS records, which can help to identify what else is hosted on the domain, such as the type of email servers or web hosting. We also wanted to look for any public subdomains that the developer might use to host functionality for the app (or host other resources that should probably not be public), such as admin dashboards, databases, or other web-facing services.
But when we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, appserver.teaonher.com.
When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, we uploaded a copy here). An API simply allows things on the internet to communicate with each other, such as linking an app to its central database.
It was on this landing page that we found the exposed email address and plaintext password (which wasn't that far off 'password') for Lampkin's account to access the TeaOnHer 'admin panel.'
The API page showed that the admin panel, used for the document verification system and user management, was located at 'localhost,' which simply refers to the physical computer running the server and may not have been directly accessible from the internet. It's unclear if anyone could have used the credentials to access the admin panel, but this was in itself a sufficiently alarming finding.
At this point, we were only about two minutes in.
Otherwise, the API landing page didn't do much other than offer some indication as to what the API can do. The page listed several API endpoints, which the app needs to access in order to function, such as retrieving user records from TeaOnHer's database, for users to leave reviews, and sending notifications.
With knowledge of these endpoints, it can be easier to interact with the API directly, as if we were imitating the app itself. Every API is different, so learning how an API works and how to communicate with one can take time to figure out, such as which endpoints to use and the parameters needed to effectively speak its language. Apps like Postman can be helpful for accessing and interacting directly with APIs, but this requires time and a certain degree of trial and error (and patience) to make APIs spit out data when they shouldn't.
But in this case, there was an even easier way.
TeaOnHer API allowed unauthenticated access to user data
This API landing page included an endpoint called /docs, which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API.
This documentation page was effectively a master sheet of all the actions you can perform on the TeaOnHer API as a regular app user, and more importantly, as the app's administrator, such as creating new users, verifying users' identity documents, moderating comments, and more.
The API documentation also featured the ability to query the TeaOnHer API and return user data, essentially letting us retrieve data from the app's backend server and display it in our browser.
While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed to return information from the TeaOnHer database. In other words, you could run commands on the API to access users' private data that should not have been accessible to a user of the app, let alone anyone on the internet.
All of this was conveniently and publicly documented for anyone to see.
Requesting a list of users currently in the TeaOnHer identity verification queue, for example — no more than pressing a button on the API page, nothing fancy here — would return dozens of account records on people who had recently signed up to TeaOnHer.
The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies.
Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions.
With that unique user identifier, we could also use the API page to directly look up individual users' records, which would return their account data and any of their associated identity documents. With uninhibited access to the API, a malicious user could have scraped huge amounts of user data from the app, much like what happened with the Tea app to begin with.
From bean to cup, that was about 10 minutes, and we hadn't even logged-in to the app yet. The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did.
We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API.
In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as 'healthy.' At least on cursory tests, the API now appears to rely on authentication, and the previous calls made using the API no longer work.
The web addresses containing users' uploaded identity documents have also been restricted from public view.
TeaOnHer developer dismissed efforts to disclose flaws
Given that TeaOnHer had no official website at the time of our findings, TechCrunch contacted the email address listed on the privacy policy in an effort to disclose the security lapses.
But the email bounced back with an error saying the email address couldn't be found. We also tried contacting Lampkin through the email address on his website, Newville Media, but our email bounced back with the same error message.
TechCrunch reached Lampkin via LinkedIn message, asking him to provide an email address where we could send details of the security flaws. Lampkin responded with a general 'support' email address.
When TechCrunch discloses a security flaw, we reach out to confirm first that a person or company is the correct recipient. Otherwise, blindly sending details of a security bug to the wrong person could create a risk. Before sharing specific details of the flaws, we asked the recipient of the 'support' email address if this was the correct address to disclose a security exposure involving TeaOnHer user data.
'You must have us confused with 'the Tea app',' Lampkin replied by email. (We hadn't.) 'We don't have a security breach or data leak,' he said. (It did.) 'We have some bots at most but we haven't scaled big enough to be in that conversation yet, sorry you were misinformed.' (We weren't.)
Satisfied that we had established contact with the correct person (albeit not with the response we received), TechCrunch shared details of the security flaws, as well as several links to exposed driver's licenses, and a copy of Lampkin's own data to underscore the severity of the security issues.
'Thank you for this information. This is very concerning. We are going to jump on this right now,' said Lampkin.
Despite several follow-up emails, we have not heard from Lampkin since we disclosed the security flaws.
It doesn't matter if you're a one-person software shop or a billionaire vibe coding through a weekend: Developers still have a responsibility to keep their users' data safe. If you can't keep your users' private data safe, don't build it to begin with.
If you have evidence of a popular app or service leaking or exposing information, get in touch. You can securely contact this reporter via encrypted message at zackwhittaker.1337 on Signal.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
14 minutes ago
- Yahoo
Ninth Wave Enables Banks to Monetize Open Finance Data Sharing
Ninth Wave's new Portal allows banks to monitor and measure data usage by fintechs and other third parties NEW YORK, August 14, 2025--(BUSINESS WIRE)--Ninth Wave, a leading provider of open finance connectivity solutions, announced the launch of its next-generation Ninth Wave Portal, used along with its open finance direct connection platform. The Portal closely monitors and measures all aspects of open finance data, giving financial institutions (FIs) full control over data sharing while providing deeper insights into security and usage patterns. The Portal will enable FIs to monetize data sharing if they choose, creating new revenue streams from open finance. Following reports that JPMorgan Chase plans to charge fintechs for access to customer banking account data, the entire banking industry is considering how to participate in this new revenue stream. To do that, FIs will need software capable of precisely measuring and controlling usage. Commenting on the news, George Anderson, founder and CEO of Ninth Wave, said: "We've always believed the future of finance is permissioned, embedded, and bank-led. As banks regain control over data sharing, Ninth Wave's Portal enables them to securely manage and monetize permissioned data through value-added services, unlocking new revenue streams." Measuring to MonetizeThe Ninth Wave Portal serves as the financial institution's window into their open finance ecosystem, removing guesswork and increasing transparency. By controlling data flows and protecting against threats, the FI remains central to customer trust – making sure all data interactions are securely integrated, permissioned, and compliant with privacy requirements. FIs can now spot business opportunities based on which third-party applications their customers use and accurately charge fintechs and other third-party users of their data. The Ninth Wave Portal's Analytics and Intelligence feature detects all data requests originating from external applications made on behalf of financial institutions' customers, and identifies the following: - Which applications are accessing data from the FI - Which fintech applications are accessing data through aggregator partnerships - What is the volume of requests per application - How many customers are taking advantage of the connectivity and who are they - What are the performance and uptime statistics for the open finance APIs Monitor to Manage SecurityThe Ninth Wave Portal's Fintech Registry™ feature allows FIs to manage risk across the fintech ecosystem by providing a complete view of who and how data is being shared. If the FI detects suspicious activity, they can quickly revoke access for a person, business, fintech application, or ecosystem partner. This is a vital tool for maintaining data security, privacy, and control to protect against financial threats. The Fintech Registry™ also offers additional functions to monitor fintech level entitlements at the customer level, ensuring all data exchanges between customers and fintechs are securely integrated and permissioned. For more information about The Portal, please visit the Ninth Wave website About Ninth WaveNinth Wave is the leading provider of secure data connectivity between financial institutions and third-party applications including aggregators, fintechs, accounting solutions, tax preparation software, and other consumer and business solutions. The company's platform powers direct connections for over 2,000 institutions and 120 million accounts, with seven of the top 10 U.S. banks and eight of the top 10 U.S. wealth managers among its current clients. Ninth Wave was founded in 2018, is privately held and headquartered in New York City. For more information, visit View source version on Contacts George Ravichgravich@
Yahoo
14 minutes ago
- Yahoo
Viridi Confirms FEOC Compliance, Strengthening U.S. Energy Security
This Achievement Places Buffalo-Based Viridi Among a Select Group of Energy Storage Providers Whose Systems Are Both American-Made and Fully Eligible for Federal Incentives, Setting a New Benchmark for Safety and Compliance Under Evolving Clean Energy Standards BUFFALO, N.Y., Aug. 14, 2025 /PRNewswire/ -- Viridi, the industry leader in fail-safe battery energy storage systems (BESS), today announced that its products meet the current Foreign Entity of Concern (FEOC) requirements, as expanded under the One Big Beautiful Bill Act (OBBBA) to apply across multiple clean energy tax credits. This confirmation makes Viridi among one of the few BESS providers whose systems are both American-made and fully eligible for federal incentives—while strengthening the security and resilience of the nation's clean energy supply chain. Manufactured in Buffalo, New York, Viridi's proprietary fail-safe lithium-ion BESS features advanced anti-propagation technology that prevents thermal runaway from propagating between cells, setting a new benchmark for safety in commercial-scale storage. This unique design enables installation in an indoor environment–including existing, occupied buildings–where traditional lithium-ion systems cannot safely operate. Viridi's product portfolio already meets the Material Assistance Cost Ratio (MACR) threshold of 75% for 2030 and beyond, and complies with current FEOC sourcing rules, ensuring customers can capture full ITC benefits. "Our customers want safe, proven energy storage they can deploy today—without waiting for supply chains to catch up or worrying about compliance risks," said Jon M. Williams, CEO of Viridi. "By manufacturing in the U.S. with a fully traceable, FEOC compliant supply chain, we're delivering zero-emissions power that developers, building owners, and critical infrastructure operators can trust—backed by the incentives that make projects possible." Viridi's compliance stems from a combination of domestic manufacturing, rigorous supplier vetting, ownership verification, and certification processes. "Compliance isn't just a box to check– it reflects the disciplined supply chain management and strategic U.S. based manufacturing we've practiced from the beginning," Williams added. "By manufacturing in the U.S. and embedding FEOC compliance into our operations, we've eliminated uncertainty for our customers and created a platform for safe, rapid deployment of clean energy projects nationwide." With units in stock and ready to ship, Viridi removes the bottlenecks that can otherwise slow clean energy projects. Whether powering microgrids, critical infrastructure, mobile operations, or commercial facilities, Viridi delivers scalable, zero-emissions energy—without import delays or compliance concerns. For more information, visit: About ViridiViridi is transforming energy storage with its proprietary fail-safe lithium-ion battery technology. Viridi's battery energy storage systems (BESS) feature breakthrough anti-propagation technology, preventing propagation and significantly reducing the risk of lithium-ion battery fires. Viridi's commercial-scale BESS is among the first and only to be installed in an existing, occupied building, setting a new benchmark for safety and reliability. Engineered for seamless integration into virtually any environment, the BESS combines advanced AI and connectivity to deliver unparalleled remote monitoring and energy optimization. Viridi enables clean, scalable energy solutions across industries, paving the way for a safer, more sustainable future. Learn more at: and follow Viridi on LinkedIn. Media Contact:Alexandra Pony399658@ View original content to download multimedia: SOURCE Viridi Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
14 minutes ago
- Yahoo
Introducing Trend Chef by New Engen: AI-Powered Creative Concepting for TikTok Trends
SEATTLE, Aug. 14, 2025 (GLOBE NEWSWIRE) -- New Engen, a leading digital marketing agency, today announced the launch of Trend Chef, an AI-powered web app that generates TikTok-ready creative concepts from trending formats. Trend Chef marks a major step in New Engen's mission to help brands and creators stay ahead of cultural shifts and produce platform-native content that resonates with audiences. The tool is trained on platform-native language, creator strategy best practices, and Gen Z cultural nuances, giving brands and creators the ability to turn trending TikTok formats into custom, brand-aligned short-form content ideas. 'TikTok trends move fast, and for brands, timing is everything,' said Justin Hayashi, CEO of New Engen. 'With Trend Chef, we are giving brands and creators a way to move at the speed of culture while staying true to their voice. This is about making trend participation not only possible but effective.' By surfacing brand-relevant creative concepts based on the latest TikTok trends, Trend Chef helps marketers act quickly without sacrificing authenticity. The tool supports both brands seeking new ways to drive engagement and lead generation, and creators looking for fresh ideas to grow their audience and connect with the community. 'This launch is a natural extension of our leadership in creator enablement and short-form video strategy,' continued Hayashi. 'We built Trend Chef to be a genuinely helpful resource – strengthening the creative ecosystem for brands and creators alike.' With Trend Chef, New Engen is further differentiating itself from traditional agencies by delivering hands-on, scalable innovation within the creator economy. The launch comes at a time when short-form video, AI-driven personalization, and brand-creator collaboration are shaping the future of digital marketing. To try Trend Chef for yourself, visit: About New Engen New Engen is a digital marketing agency driving impact for brands across every phase of the customer journey – maximizing it, measuring it, and repeating it. Through a genuine passion for building brands, a relentless desire to challenge the status quo, and deep digital expertise across hundreds of brands and verticals, we put our clients on the cutting edge of what's possible in digital marketing. Managing over $1 billion in annual ad spend, New Engen maintains top-tier partnerships with major digital platforms. The agency has earned numerous accolades, including Inc. Best in Business (2022), Inc. 5000 Fastest Growing Company (2021-2024), Adweek Fastest Growing Agency (2023-2024), Inc. Best Workplaces (2023-2024), and U.S. Agency's Digital Agency of the Year (2024). Learn more at Media Contact For New Engen:Alyssa Gayagay@ in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
