Tea app leak worsens with second database exposing user chats

Original Article ↗ Hacker News Discussion ↗

Photo ID, KYC, and Identity Verification

  • Many commenters say they refuse apps that demand photo ID uploads, especially nonessential ones.
  • Some accept IDs only for high-stakes cases (mortgages, banks, government, airlines, serious exams), not for social apps.
  • Concern that governments are pushing ID-based access to most of the web “to protect children,” forcing people to leak PII to third parties for mandatory services.
  • Others note you can’t avoid ever showing ID, but you can avoid creating digital copies and insist on in-person verification where possible.
  • Calls for a standard that lets services verify limited attributes (age, residency) without sharing full ID; others fear this would just normalize broader ID demands.
  • Skepticism that governments or commercial ID providers can run such systems securely or without abuse.

Nature of the Tea App and Reactions to the Leak

  • Tea is widely characterized as a gossip/defamation platform, compared to Kiwi Farms “for girls” and as a toxic dating-adjacent space.
  • Some see the leak as “karma” for users participating in slander and doxxing; others emphasize collateral damage to more innocent or merely curious users.
  • Worry that such platforms can “shadow-ban” people from dating or be used informally by employers or vigilantes, even if claims are unverified.
  • Debate over whether private messages can create libel exposure; some say yes if reputations are harmed, others think hacked datasets are easily deniable.

Toxicity and Gender Dynamics

  • Several describe browsing the dump as depressing, full of hatred and apparent mental health issues; seen as emblematic of wider online toxicity.
  • Comments note the internet enables “village crazies” to reinforce each other instead of being socially constrained.
  • Some argue a male-only equivalent app would be instantly banned, claim men’s spaces and victimization (including abuse) are dismissed, and describe a cultural shift toward default suspicion of men.
  • Others generalize that social media and “gender war” content are profitable because isolated, angry people are easier to exploit.

Firebase Misconfiguration and Responsibility

  • Multiple comments blame Firebase’s permissive defaults (open Firestore/Storage, client-side credentials) for making severe misconfigurations common.
  • Others insist the fault lies entirely with app developers who ignore clear security docs; “deny by default” has been standard practice for decades.
  • It’s noted this is at least the second recent app fully compromised via Firebase misconfig, reinforcing concerns about hazardous defaults.

Security Researcher’s Explanation and Ethics

  • The researcher explains:
    • Users authenticated via Firebase Auth.
    • The app backend used that token for its API, but the Firebase database itself allowed broad read/write/update/delete to any authenticated user.
    • By using an idToken directly against Firebase, anyone could enumerate and modify data (an IDOR-style issue).
  • They downloaded a ~300MB JSON snapshot to prove data recency, contacted media, and saw evidence of other parties probing the DB.
  • Some commenters question the ethics of:
    • Keeping such a large copy of sensitive data.
    • Feeding 10k posts into an AI summarizer and publishing content-level excerpts, even with pseudonyms.
  • Critics argue this goes beyond demonstrating a breach into re-exposing victims’ intimate stories; the researcher concedes they should have removed usernames and didn’t need detailed examples at all.

Law Enforcement Justifications and Policy Skepticism

  • The app’s claim that selfie retention was required for anti–cyberbullying enforcement is met with demands for citation and general disbelief.
  • Commenters tie this to broader distrust of “for the children” arguments used to justify pervasive ID collection and retention, which then become massive breach risks.