Latest news with #personalSafety
Yahoo
5 days ago
- Yahoo
How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes
For an app all about spilling the beans on who you're allegedly dating, it's ironic that TeaOnHer was spilling the personal information of thousands of its users to the open web. TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents, as TechCrunch reported last week. These gated community-like apps were created ostensibly to let users share information about their relationships under the guise of personal safety. However, shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites. Such risks are only going to worsen; popular apps and web services are already having to comply with age verification laws that require people to submit their identity documents before they can be granted access to adult-themed content, despite the privacy and security risks associated with storing databases of people's personal information. When TechCrunch published our story last week, we did not publish specific details of the bugs we discovered in TeaOnHer, erring on the side of caution so as to not help bad actors exploit the bug. Instead, we decided to publish a limited disclosure, because of the app's rising popularity and the immediate risks that users faced when using the app. As of the time of disclosure, TeaOnHer was #2 in the free app charts on the Apple App Store, a position still held by the app today. The flaws we found appear to be resolved. TechCrunch can now share how we were able to find users' driver's licenses within 10 minutes of being sent a link to the app in the App Store, thanks to easy to find flaws in the app's public-facing backend system, or API. The app's developer, Xavier Lampkin, did not respond to multiple requests for comment after we submitted details of the security flaws, nor would Lampkin commit to notifying affected TeaOnHer users or state regulators of the security lapse. We also asked Lampkin if any security reviews were carried out before the TeaOnHer app was launched, but we got no reply. (We have more on disclosure later on.) Alright, start the clock. TeaOnHer exposed 'admin panel' credentials Before we even downloaded the app, we first wanted to find out where TeaOnHer was hosted on the internet by looking at its public-facing infrastructure, such as its website and anything hosted on its domain. This is usually a good place to start as it helps understand what other services the domain is connected to on the internet. To find the domain name, we first looked (by chance) at the app's listing on the Apple App Store to find the app's website. This can usually be found in its privacy policy, which apps must include before Apple will list them. (The app listing also claims the developer 'does not collect any data from this app,' which is demonstrably false, so take that as you will.) TeaOnHer's privacy policy was in the form of a published Google Doc, which included an email address with a domain, but no website. The website wasn't public at the time, so with no website loading, we looked at the domain's public-facing DNS records, which can help to identify what else is hosted on the domain, such as the type of email servers or web hosting. We also wanted to look for any public subdomains that the developer might use to host functionality for the app (or host other resources that should probably not be public), such as admin dashboards, databases, or other web-facing services. But when we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, we uploaded a copy here). An API simply allows things on the internet to communicate with each other, such as linking an app to its central database. It was on this landing page that we found the exposed email address and plaintext password (which wasn't that far off 'password') for Lampkin's account to access the TeaOnHer 'admin panel.' The API page showed that the admin panel, used for the document verification system and user management, was located at 'localhost,' which simply refers to the physical computer running the server and may not have been directly accessible from the internet. It's unclear if anyone could have used the credentials to access the admin panel, but this was in itself a sufficiently alarming finding. At this point, we were only about two minutes in. Otherwise, the API landing page didn't do much other than offer some indication as to what the API can do. The page listed several API endpoints, which the app needs to access in order to function, such as retrieving user records from TeaOnHer's database, for users to leave reviews, and sending notifications. With knowledge of these endpoints, it can be easier to interact with the API directly, as if we were imitating the app itself. Every API is different, so learning how an API works and how to communicate with one can take time to figure out, such as which endpoints to use and the parameters needed to effectively speak its language. Apps like Postman can be helpful for accessing and interacting directly with APIs, but this requires time and a certain degree of trial and error (and patience) to make APIs spit out data when they shouldn't. But in this case, there was an even easier way. TeaOnHer API allowed unauthenticated access to user data This API landing page included an endpoint called /docs, which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API. This documentation page was effectively a master sheet of all the actions you can perform on the TeaOnHer API as a regular app user, and more importantly, as the app's administrator, such as creating new users, verifying users' identity documents, moderating comments, and more. The API documentation also featured the ability to query the TeaOnHer API and return user data, essentially letting us retrieve data from the app's backend server and display it in our browser. While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed to return information from the TeaOnHer database. In other words, you could run commands on the API to access users' private data that should not have been accessible to a user of the app, let alone anyone on the internet. All of this was conveniently and publicly documented for anyone to see. Requesting a list of users currently in the TeaOnHer identity verification queue, for example — no more than pressing a button on the API page, nothing fancy here — would return dozens of account records on people who had recently signed up to TeaOnHer. The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions. With that unique user identifier, we could also use the API page to directly look up individual users' records, which would return their account data and any of their associated identity documents. With uninhibited access to the API, a malicious user could have scraped huge amounts of user data from the app, much like what happened with the Tea app to begin with. From bean to cup, that was about 10 minutes, and we hadn't even logged-in to the app yet. The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as 'healthy.' At least on cursory tests, the API now appears to rely on authentication, and the previous calls made using the API no longer work. The web addresses containing users' uploaded identity documents have also been restricted from public view. TeaOnHer developer dismissed efforts to disclose flaws Given that TeaOnHer had no official website at the time of our findings, TechCrunch contacted the email address listed on the privacy policy in an effort to disclose the security lapses. But the email bounced back with an error saying the email address couldn't be found. We also tried contacting Lampkin through the email address on his website, Newville Media, but our email bounced back with the same error message. TechCrunch reached Lampkin via LinkedIn message, asking him to provide an email address where we could send details of the security flaws. Lampkin responded with a general 'support' email address. When TechCrunch discloses a security flaw, we reach out to confirm first that a person or company is the correct recipient. Otherwise, blindly sending details of a security bug to the wrong person could create a risk. Before sharing specific details of the flaws, we asked the recipient of the 'support' email address if this was the correct address to disclose a security exposure involving TeaOnHer user data. 'You must have us confused with 'the Tea app',' Lampkin replied by email. (We hadn't.) 'We don't have a security breach or data leak,' he said. (It did.) 'We have some bots at most but we haven't scaled big enough to be in that conversation yet, sorry you were misinformed.' (We weren't.) Satisfied that we had established contact with the correct person (albeit not with the response we received), TechCrunch shared details of the security flaws, as well as several links to exposed driver's licenses, and a copy of Lampkin's own data to underscore the severity of the security issues. 'Thank you for this information. This is very concerning. We are going to jump on this right now,' said Lampkin. Despite several follow-up emails, we have not heard from Lampkin since we disclosed the security flaws. It doesn't matter if you're a one-person software shop or a billionaire vibe coding through a weekend: Developers still have a responsibility to keep their users' data safe. If you can't keep your users' private data safe, don't build it to begin with. If you have evidence of a popular app or service leaking or exposing information, get in touch. You can securely contact this reporter via encrypted message at zackwhittaker.1337 on Signal.
ABC News
20-06-2025
- Politics
- ABC News
Nationals MP Anne Webster drops request for protection orders against One Nation supporter
National Party MP Anne Webster and her husband Philip Webster have dropped a request for personal safety intervention orders against a One Nation supporter after an altercation at a Mildura car show. The Mildura Magistrate's Court put interim orders in place in April barring One Nation supporter Dean Lampard from contacting or approaching the Websters until Mr Lampard could obtain a lawyer. On Friday, the Victorian Solicitor General's Office dropped the application, saying it was unlikely to be approved. Magistrate Patrick Southey told the court Mr Lampard had made "nonsense" allegations against the Websters of corruption and paedophilia. "[They] were offensive, defamatory, crackpot, conspiracy theory allegations that hold no basis whatsoever," Magistrate Patrick Southey told the court. "If there was any shred of truth, [Anne Webster] wouldn't be a Member of Parliament and [Philip Webster] wouldn't be a doctor." Mr Lampard's lawyer Jamie Griffin said there was no evidence to suggest Mr Lampard's allegations against the Websters were "crackpot" or "conspiracy theory'. The court heard Mr Lampard made the accusations against the Websters when he went to Anne Webster's Mildura office on March 1. The court heard on that occasion, she did not like what was said by Mr Lampard and asked him to leave. Six weeks later, on Good Friday, Dr Webster's husband approached Mr Lampard at a car show with two of her staff and a security guard. Mr Griffin previously told the court there was "a conversation and pushing and shoving", with Mr Webster shoving Mr Lampard. He said there were no allegations of assault or threats by his client at the car show, and that he left of his own accord. "How can it be said that Mr Webster has any fear at all when he approaches my client, assaults my client, and my client leaves?" he asked the court. The court heard Mr Griffin contested the legitimacy of the interim orders that he described as baseless and without proof of criminal conduct. Mr Griffin told the court he found it questionable that a senior detective at Mildura Police Station brought the application to court in the first place. "It's exceptional that a matter like this, first of all, is prosecuted by a senior detective where there is no crime alleged here," Mr Griffin told the court. "The base of the claim is that there is a chance Mr Lampard may, in the future, make some other comment or approach Ms Webster." The media was denied a copy of the affidavit supporting the allegations made by the Websters against Mr Lampard because "it was protected information". Magistrate Southey told the court he believed the application for the interim orders had been made in good faith, despite them being withdrawn. "Is that largely because it's unlikely you can prove there is an ongoing likelihood of misbehaviour, is that the reason?" Magistrate Patrick Southey asked the lawyer for the Websters. Solicitor for the government, Nadia Deltondo, replied, "There are a number of reasons that unfortunately I can't answer." An application to have the Websters pay Mr Lampard's court costs was refused. Dr Webster retained the seat of Mallee in the May election with a slight swing toward her, in what is considered a safe seat. She was elevated three weeks ago to shadow minister for regional development, local government and territories and shadow minister for regional communications. The Websters were not in court for Friday's hearing.
Daily Mail
28-05-2025
- Health
- Daily Mail
The sad reason why a $29 Bunnings buy is selling out across Australia
As concerns over personal safety grow across Australia, a pocket-sized device from Bunnings is becoming a must-have item for women, and now their children too. The Swann Graphite Gen 2 ActiveResponse Personal Alarm, retailing for just $29, is flying off the shelves as more women turn to the affordable gadget for extra peace of mind. But it's not just adults who are reaping the benefits of this modern safety essential, concerned mums are now purchasing the alarm for their kids as they become more independent. Small enough to clip onto a key ring or backpack, the device features two alarm modes: a siren and flashing light activated by pulling the keychain for immediate attention, and a discreet red button that silently sends an SOS message with real-time GPS coordinates to designated emergency contacts. 'Every parent should get one of these for your child,' one Bunnings reviewer raved. 'It's amazing how well it works.' The surge in popularity reflects a broader trend in Australia, where women, particularly mothers, are increasingly investing in personal safety tools amid rising concerns about violence and street harassment. In a 2023 report by Australia's National Research Organisation for Women's Safety, nearly two-thirds of Australian women reported feeling unsafe walking alone at night. It's no surprise then that products like the Swann personal alarm are gaining traction as a modern solution to an age-old problem. 'This is a wonderful product, small and well made,' another reviewer wrote. 'I bought this for my child who has just started high school and has started catching public transport... We've tested it a few times just to be sure and it's amazing how well it works.' For mums like this, the device offers 'a little bit of backup just in case.' 'I'm not paranoid,' she wrote in her online review, 'but you still want that little bit of backup… She barely notices it's there, and I know if anything ever felt off, she could press the button and I'd get the alert straight away.' Unlike traditional personal alarms, the Gen 2 version includes built-in mobile connectivity and GPS, removing the need to pair with a smartphone - a critical feature for younger users or those who may not always carry their phones. The personal alarm also has the tick of approval from New Zealand TikToker Jen Lourdes, who posted a now-viral video on the device. Jen said she picked up the device after seeing other women recommend it as a simple but effective way to feel a little safer. 'There was a lady on TikTok that recommended getting the personal alarm,' Jen said. The small, pocket-size device packs a serious punch when it comes to making enough noise to help ward off danger 'This is really great if you're going runs or you're solo travelling, or if you work night shifts.' The small, sleek, pocket-size device doesn't look like much, but packs a serious punch when it comes to making enough noise to (hopefully) ward off danger. 'What you do is you pull it, and it makes a really loud noise,' Jen explained. Alternatively, you can push a button and it texts a friend or family member. Compact enough to clip onto a keychain or lanyard, the alarm is easy to carry during a jog, stash in a handbag or keep close while walking to the car after a night shift. 'I'm slowly started to get into running so I thought it would be perfect to take with me when I go on a run,' Jen added. 'I also do a lot of solo travelling for work, I feel like it's just a bit of extra security.' While it's comforting to know gadgets like this exist, the surge in popularity sadly reflects a growing reality: women in 2025 are still forced to think about personal safety every time they step outside alone. 'The fact that we live in a world where we need this to feel safe,' one follower commented. 'These should be handed out for free at police stations tbh. Genius!' added another. While the Swann ActiveResponse offers a quick, affordable way to feel more empowered, the hope remains that one day, women won't have to plan their day around personal protection. For now though, many are praising Jen and others like her for spreading the word about such a useful gadget. 'Omg this is such a good idea!! Need this asap.'
Daily Mail
19-05-2025
- Daily Mail
Woman issues warning about disturbing act at Aussie servo
An Aussie woman has expressed her outrage after she witnessed a 'creepy' exchange between two men at a service station. Claire Champion was concerned for a female worker's welfare after overhearing a conversation at a Metro Petroleum in Tahmoor on Sydney 's south-west outskirts on Saturday. In a video shared to TikTok, Ms Champion explained she overheard an older man enquiring about a female worker's shift schedule with her male colleague. She said the customer did not know the female worker's name or when she would be working next until her colleague confirmed her name was Ally and shared her upcoming shift rotation. Ms Champion was alarmed by the conversation and believes the information shouldn't have been passed on without Ally's consent. 'I know this is a long shot in reaching you, but I know for a fact that if that was me, I would not want someone who didn't know me well enough, to ask me my work schedule and didn't know my name,' she said. Ms Champion urged followers to track down Ally so that she was aware that personal information had been given out to a customer. '[The man] was asking a lot of questions about you,' she said in her plea to Ally. 'I wouldn't want them knowing that information about me, so I hope this reaches you. 'Stay safe out there Queens.' Many viewers agreed that Ally's colleague was in the wrong with some going as far as say he should be sacked. 'Sharing personal information about a co-worker—like their name, schedule, or any other details—with someone we don't know is a serious breach of privacy,' one wrote. 'It doesn't matter how harmless the request might seem; we have a responsibility to protect each other's personal information in the workplace. 'We never know what someone's true intentions are, and giving out that kind of info without permission can put someone at risk or make them feel unsafe.' Another added: 'Ally, your co-worker needs a talking to,' another commented. A third wrote: 'Genuinely baffled why her colleague did this?' Others assured Ms Champion that she had done the right thing. 'Girls protecting girls in Australia – this is amazing,' one woman wrote. Micha Hayek, whose family runs Metro Petroleum Tahmoor, reviewed CCTV of the incident after coming across Ms Champion's video. 'Our team member did get reprimanded and the entire team got an updated briefing on the safety of privacy and protecting each other at work and how to act in these situations,' Ms Hayek told 'Because our station is in a small town, we have many return customers so after we showed Ally the footage to see what our next steps should be, it turns out he has been her regular customer for a while and she knows him, and he was just asking because she is not working her usual hours.' While Ms Champion was inundated with support for her video, not everyone agreed with her approach. In a subsequent video she clarified some details after being asked why she hadn't contacted the service station directly. She explained she had no way of knowing if the male worker was, in fact, the manager and therefore lodging a complaint to him wouldn't have been helpful to Ally. Ms Champion also noted the service station was remote and didn't want to put herself in a potentially dangerous situation by intercepting the conversation as she justified her actions. 'My job was to make sure she was aware that a potential stranger knew her weekly schedule and was asking multiple questions about her,' she explained. 'This video made it to Ally and her family, as well as the service station manager. My approach worked, why criticise me for trying to do the right thing?'
Finextra
14-05-2025
- Finextra
TSB offers free access to personal safety app Hollie Guard Extra
UK bank TSB is offering customers who are fleeing or experiencing abuse free access to personal safety app Hollie Guard Extra for a year. 0 Hollie Guard Extra, the paid-for version of the free Hollie Guard app, costs £7.99 a month and transforms an everyday smart phone into a personal safety device. With a tap or shake of the device, the user can send alerts to chosen emergency contacts, including the police, and a 24/7 monitoring centre. The app allows for a user's location to be shared every five seconds, alongside audio and video recordings to help keep people safe in a vulnerable or potentially dangerous situation. TSB customers can now download the app and add a unique activation code for free access. Anyone wishing to claim can discuss their situation in branch, over the phone or via video banking. Downloaded by more almost 500,000 people in the UK, Hollie Guard Extra is used by police forces across the country and has led to numerous arrests. TSB has added the free Hollie Guard Extra access to its existing domestic abuse support, which includes its Emergency Flee Fund which provides up to £500 to help customers escape an abuser, and in-branch and online safe spaces. Minister for safeguarding and violence against women and girls, Jess Phillips MP, says: "TSB's initiative shows how businesses can take action to prioritise their customers' safety and help deliver the whole-society approach needed to create lasting change in our fight against violence and abuse."
