Men’s Rival Tea App Leaks Personal Information and Driver’s Licenses of Users

TeaOnHer is an app designed for men to share images and details about women they claim to have dated, which has suffered a data leak of users’ personal information, including government IDs and selfies, as reported by TechCrunch.

Recently launched on the Apple App Store, TeaOnHer serves as a response to the widely-used app Tea, which allows women to share their experiences with men they date. Marketed as a tool for women’s safety, Tea has more than 6 million users and operates similarly to Facebook groups asking, “Are we dating the same guy?” Nonetheless, its credibility has come under fire due to unverifiable claims made by users.

The backlash against Tea heightened last week when 404 Media revealed that users from 4chan had found a publicly accessible database linked to the app. This database contained over 72,000 images, including numerous selfies and photo IDs meant for account verification. Following this, a subsequent breach exposed more than 1 million private messages exchanged through the app, prompting the temporary suspension of its messaging feature.

TeaOnHer, which is currently ranked No. 2 among Lifestyle apps on iOS, appears to directly contend with the Tea app, even mirroring language from Tea’s App Store listing in its own description.

However, like the app it mimics, TeaOnHer reveals its own security flaws.

TechCrunch has uncovered at least one security vulnerability granting unrestricted access to confidential data of TeaOnHer users, including usernames, email addresses, driver’s licenses, and selfies. The images of these licenses can be accessed through public web links, making them viewable to anyone with the URLs.

In one observation, TechCrunch discovered a compilation of posts on TeaOnHer that included each user’s email address, display name, and self-reported location.

To mitigate potential misuse, TechCrunch will not disclose certain specific details related to the vulnerabilities. The app’s developers have not responded to TechCrunch’s requests for information on these issues. As a result, this report is being released with limited details, given the app’s rising popularity and associated risks.

TeaOnHer has been submitted to the iOS App Store by a developer called Newville Media Corporation. As per LinkedIn, the founder and CEO of this company is Xavier Lampkin.

TechCrunch has identified at least one record in TeaOnHer linked to Lampkin’s personal data.

This security breach poses potential risks to any user who registered or shared identity documents with the app. The issue suggests that TeaOnHer currently has approximately 53,000 users as of this report’s publication.

Additionally, TechCrunch discovered another potential security threat where an email address and plaintext password belonging to Lampkin, the app’s creator, were left exposed on the server. These credentials appeared to allow access to the app’s “admin” panel. TechCrunch chose not to use this access, as it would be illegal, but it highlights the dangers of leaving admin credentials unprotected online.

Alongside its security issues, the content present in TeaOnHer raises concerns. While the app requires IDs and selfies for user verification—although this process isn’t automated—users can still access a “guest” view without logging in.

Upon entering the “guest” view, TechCrunch encountered multiple images of the same naked woman, posted under different names in what seemed to be spam. It’s unclear whether this individual consented to her images being shared. Other posts included images and names of women, coupled with derogatory remarks labeling them as “easy” or alleging they are carriers of sexually transmitted infections.

In terms of free app popularity, TeaOnHer ranks No. 17, surpassing platforms like Instagram, Netflix, Uber, and Spotify. The Tea app is currently positioned at No. 2.