TeaOnHer app spills more than Tea but also IDs, emails, and selfies

Men are catching up with the Tea app’s female users, with their very own TeaOnHer app also leaking personal data – including driver’s licenses.

TeaOnHer is a rival app to the infamous Tea app for women. Instead of providing a platform for women to share their dating horror stories and warn others, TeaOnHer is basically the same, but for men.

The app’s general idea, layout, and build are also similar. And surprise, surprise, TeaOnHer is now also leaking sensitive user data, including government-issued IDs and selfies, only a week after it was launched on Apple’s App Store.

The news comes just a week after a cache of data was spilled from an unprotected database linked to the Tea app, which users of 4chan revealed they had found. That database included over 72,000 images, among them thousands of selfies and government IDs used for account verification.

This was followed by another hack that exposed another million private messages, which proved to be the last drop in the already cracked Tea app cup – it has since shut down its messaging feature.

Both hacks were controversial, as critics pointed out that there was little to no chance of verifying the claims women made on the app about the men they claimed to have dated.

TeaOnHer appears to be a direct response to Tea, also allowing users to share their dating experiences. However, just like in Tea, this hard-to-verify information is not the weakest link on the app.

TechCrunch uncovered at least one vulnerability in TeaOnHer that exposes users’ private data. This data includes usernames, email addresses, selfies, and driver’s license images. It’s all accessible through public URLs, meaning that anyone with the direct links can view these sensitive materials in their browser.

In one instance, TechCrunch reviewed a list of posts from the app, which included users’ email addresses, display names, and self-reported locations. The now publicly available data may affect any user who uploaded ID documents or registered with the app. Additionally, internal metrics indicate that the app currently has around 53,000 users.

Another issue the website found was an exposed email and plaintext password belonging to Xavier Lampkin – the developer who uploaded the app to the iOS App Store in the first place.

His credentials appear to grant access to the app’s admin dashboard. While TechCrunch did not attempt to log in, the discovery underscores the dangers of leaving backend access wide open.

Apart from these technical flaws, the content found on TeaOnHer is also concerning.

The app's users have to be verified, so they are asked to submit their IDs and selfies. However, it’s now known that this process is not fully automated and allows people to use the app as “guests” without having to log in.

When TechCrunch used the “guest” view, they observed multiple identical pictures of a naked woman posted under several different usernames, indicating possible spam or abuse. It remains unclear if the woman in the picture consented to being photographed or to having her photograph duplicated online.

Other posts showed women’s names and images, accompanied by comments calling them “easy” or accusing them of having STIs.