What I Found: An Unlocked Digital Door
What I discovered was even more concerning than the initial reports suggested. TeaOnHer, a male-focused dating verification platform, had essentially left its entire backend configuration sitting in an unlocked digital drawer for anyone to find.
Imagine downloading a dating app that promises to keep you safe through identity verification. You upload your driver's license, a selfie, and personal details, trusting the platform to protect this sensitive information. Now imagine those documents being accessible to anyone with basic web browsing skills.
It took less than ten minutes to map out the platform's backend, locate administrative credentials, and understand exactly how an attacker could gain unauthorized access to user verification data.
Following the Digital Breadcrumbs
Our investigation began with standard reconnaissance: examining the app's public-facing information. Hidden in plain sight within TeaOnHer's App Store listing was a link to their privacy policy, which pointed to a domain: `appserver.teaonher.com`.
Instead of encountering a proper login interface or landing page, we were served a complete JSON configuration file. Essentially the application's internal playbook, accessible to anyone with an internet connection.
The JSON file proudly announced itself with the message: "Welcome to TruthTalk API - Complete Male Dating Review Platform" and proceeded to list all nine platform features and every available endpoint. Complete API endpoint documentation, administrative credentials stored in plaintext, internal system references leaked to production, and no authentication requirements for sensitive endpoints were all exposed.
The Nine Exposed Features
The Keys to the Kingdom
Scrolling through the exposed JSON configuration revealed information that should never be publicly accessible:
Development Environment Leakage: The configuration also referenced an admin panel running on `http://localhost:3003` indicating that development environment details had been inadvertently pushed to production.
The Attack Surface: Understanding the Risk
With the information exposed in this configuration file, a malicious actor could potentially:
By calling the `/api/v1/verification/*` endpoints, an attacker could retrieve the verification queue, potentially exposing user names and email addresses, direct links to uploaded identity documents, and verification status with personal details.
The exposed AWS S3 URLs could allow direct access to driver's license scans, passport photos, selfie verification images, and other identity verification documents.
Using the hardcoded credentials, an attacker could potentially manipulate user verifications, delete or modify user reports, impersonate verified users, and access administrative functions.
Essential Security Takeaways
The TeaOnHer incident highlights fundamental security principles that apply across the board. For developers, never expose API documentation or store credentials in configuration files accessible to the public. For platforms handling sensitive data, implement proper authentication on all endpoints and separate development from production environments. For users, treat identity verification uploads with extreme caution and research platform security practices before sharing personal documents. The core lesson remains simple: basic security hygiene prevents the majority of data exposures, regardless of technical complexity or company size.
The Technical Breakdown: Where Security Failed
The Response and Current Status
Following responsible disclosure practices, the security issues were reported to the platform. Subsequently, access to the `/docs` endpoint was restricted, and AWS S3 permissions were modified to prevent unauthorized access.
However, the incident raises important questions about user notification and transparency. As of this writing, it remains unclear whether users affected by this exposure have been informed about the potential compromise of their verification data: a recurring challenge with smaller platforms that may lack comprehensive incident response procedures.
The Broader Implications
This incident illustrates a critical truth about modern digital security: sophisticated attacks aren't always necessary when basic security fundamentals are overlooked. The TeaOnHer case wasn't the result of advanced persistent threats or zero-day exploits. It was simply an unlocked door.
When platforms collect sensitive personal information, particularly identity verification data, they become custodians of user trust. This responsibility extends beyond functional requirements to encompass fundamental security practices that protect user privacy and safety.
The Bottom Line
The TeaOnHer incident serves as a stark reminder that security isn't optional for any platform handling personal data. This wasn't a sophisticated hack or an advanced persistent threat. It was basic security fundamentals being overlooked, creating a massive exposure of sensitive user verification data.
The moment any application begins collecting personal information, whether it's a simple email address or comprehensive identity verification documents, it assumes responsibility for protecting that data. This responsibility doesn't scale with company size or technical sophistication. It exists from day one.
Security isn't just for big tech companies with dedicated security teams. It's a fundamental requirement for any platform that asks users to trust them with their personal information. The TeaOnHer incident serves as a reminder that in the world of digital identity, an unlocked door isn't just a security vulnerability: it's a breach of user trust.
Need help with POPIA compliance? Ubuntu Guard offers POPIA compliance consulting for South African businesses — from gap analysis to policy drafting and staff training.