To apply all the dear beans bean dear, it’s a violent, if the teonher includes personal information thousands of users to the open web site.
The teonhers designed for men to share photos and information about women who claim to have dating. But much as Tea, Gossip-gossip application for women This is trying to complete, the teonher has the right hole in security that opens the user’s personal information, including the driver’s license and other government’s administration photos, as TechCrunch reported last week.
This applications like this gate is made well made so that the user represents information about related in personal safety. However, the coding coding and Shoddy’s coding highlighted the risk of privacy implemented by requireing a user to send sensitive information to use the application and website.
The risk of such is will only be bigger; The popular web applications and services are available Subject to age verification law that requires people Submit an identity document Before you can give access to the relevant content, even when there is a risk and security associated with saving the folk personal information database.
When TechCrunch publishes the story of the past week, we do not publish a special number of animals found in Teonher, erring on the side of the caution to do not help the bad performers use bug. But, We decided to publish a limited disclosureDue to the popularity of increasing and immediate risk of user when using the app.
When disclosure, the teaoner is # 2 on the free application graph on the Apple App Store, the position still is done by the app now.
Disability that is found to appear. TechCrunch can now show you how we can find the user driver’s license within 10 minutes sent links to the app in the App Store, thanks to find a disability in the general backend system, or API.
App developers, xaavier lampkin, not respond to several requests for comments after delivering security details, and may not report an affected statement or regulator.
We also get a diaper if there is a security review before the Teonher application is launched, but it doesn’t get a reply. (We have more about disclosure later.)
It’s okay, start the hour.
Teoner ‘PANEL C Crendy’ admin ‘
Before we even download the app, we want to know where the teones is held on the internet by viewing public infrastructure, such as websites and any domains.
This is usually a good place to start because it helps know what other domains services are on the Internet.
To find a domain name, we first seen (with chance) in App listing in the Apple App Store To find the App website. This can usually be found in the privacy policy, which you need to enter before Apple will list. (The app list also claims the developer “does not collect data from this application,” that demonstrably fake, so take it as you do.)
Teonher’s privacy policy is in the form of Google Doc published, which includes email addresses with teaonher.com Domain, but not websites.
Website not generally at that time, so there is no web site, we see the DNS domain records, which can help you find out any longer in your domain, such as types of email or web type. We also want to find a public subdomain that can be used for developers for your hexaminism for the app (or become other resources hosting should be unusual), such as Dashboard Admin, database, or other-facing service.
But when you look at the teener Internet records, there is no more useful information except for one subdomain, appserver.teaonher.comSee rankings-.
When you open this page in our browser, what you loaded as a landing pagel for API Teonher (for curiosity, We upload copies here). The only fires allows items on the Internet to communicate with each other, such as an instance of the database application.
This is on this bankruptcy page that is found the exposed email address and password (sing Not too far “my”) To account the Lamkin to access the teonher panel “.”
The firey page shows that the admin panel, is used for the verification system document and user management, is in “localhost,” which only shows computer directly from the internet. It is not clear that someone can use confidence to access the admin panel, but this is a reasonable discovery.
At this time, we are only about two minutes.
If not, the API of the API glass is not much more than the offer of some indications on what the API can do. The page is a list of a few API API, the app must be accessed to be used, such as taking a user note from the teenher database, and send notifications.
With the knowledge of the point, it may be easier to interact with the immediate API, as if we imitate the app yourself. Every API is different, so the study is a firework and how to communicate with one time can find out, such as for use and parameters to be used effectively. The application is like a postman can be useful to access and interact with API, but this takes time and error attempt and a particular error (and patient) to make Apis because it is not.
But in this case, something easier.
Teaherher API lets access to user data
This landing page is included The dish called /docsThe containing auto documentation (which is used by a product called Swagger UI) containing a complete list of commands that can take place at API.
This documentation Page is effective for the master of the sheet of all the aonher actions in Aonher as a regular app user, such as moderation comments, comments moderate, and more.
API documentation also displays the ability to adopt the Teonher API and returns the user data, supposed to take data from the app server app and displayed in our browser.
While not common for the developer to publish the API documentation, the problem here is some of the API requests that can be performed without any password to generate information from the teonher database. With other words, you can open the command in API to access user data personalized users that are not accessible access from the app application, should be on the internet.
All of this is easily and documented in common for anyone can see.
Looking for the current user list in the Teonher verification queue, for example – no more than hit the button on the glass on the API, it will make tens of accounts in the person who broke in.
The records returned from the Teonher server containing unique identifiers in the app (meaning reporting and location and locations, also included web address links that contain the appropriate driver’s license and selfies.
Worse, this photograph of this driver’s license, ID that is published from government, and selfies are stored on amazon-hosting-hostly server that becomes more common for a web address. This general setting allows you to relate to identity documents open files from anywhere without restrictions.
With a unique user identifier, we can also use the Glass API to instantly display individual user records, which will return your account data and related identity documents. With accessible access to API, dangerous users can produce multiple user data from the app, as happens Tea app to startSee rankings-.
From beans, about 10 minutes, and we have not logged in to the app. It is very easy to find that it will be the fate that no one is dangerous before we do it.
We ask, but the lampkin will not say that he has a technical ability, to determine if someone is using (or blame) API at any time to obtain the user’s verification address from the API verification of the API.
In the days since reports to Lampkin, the API-landing glass has been taken, and the document page, and is now displayed only the server country that is conducted while “healthy.” At least the cursor test, the current API appears to be just authentication, and the previous call is made using API no longer accessible.
The web address containing the user’s uploaded documentary has also been restricted from the public view.
Teonher developers wipe out efforts to expose the disability
Given that the teonhers do not have official websites in obviously, techcraccos contact the email address registered in the privacy policy with an effort to tell the security.
But the email bounce back with the error says the email address cannot be found. We also try to contact the LAMPINY through email address on your website, Newville Media, but our email is back with the same error message.
Inkun to reach the Lipers via LinkedIn message, get to provide an email address where we can send security defect details. Lampkin respond to the public email address “support” in response.
When TechCrun tells the security disability, we reach to confirm that first person or company is the correct recipient. Otherwise, blindly send security bug details for the wrong person can make risk. Before showing a specific defective details, we ask the recipient’s email address “support” if this is the correct address to tell the security data that includes a teonher user data including the username.
“You should be confused with the ‘tea app’,” he replied by email. (We do not.) “” We do not have a security violator or leaking data, “he said. (It is)” (we do not)
Satisfied that has established contact with the right person (although not responding to the details received), as well as some data lampkin lands, and copy of the Data Lampkin diaper diaper.
“Thank you for this information. This is too. We’ll jump now,” shell Lampkin.
Although some email follow, we have not heard from Lampkin began to announce the security flaw.
It doesn’t matter if you are one person’s software shop or Coding Vabe Billion Billion is over the weekend: The developer is still responsible for the user data secure. If you can’t keep your user private data safely, don’t let it go.
If you have evidence of popular applications or leak leaks leak or expose information, relationships. You can contact this reporter over a hidden message in Zackwhitker.137 on the signal.