Tea was storing its users’ sensitive information on Firebase, a Google-owned backend cloud storage and computing service.
Every time. With startups, it’s always an unsecured Firebase or S3 bucket.
I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Obviously there are ways around this too, but it’s not just “use TLS”.
Wouldn’t some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I’m not understanding the gist of the problem
Exactly, it’s not necessary. It’s bad / lazy design. You don’t expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That’s normal Client-Server-Database architecture.
Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
deleted by creator
Honestly it seems like a weapon that can too easily be used for defamation
I mean, yes, but does that take priority over women who are worried about their safety? There’s been women doing this over local Facebook groups for a long time. Defamation of this sort is not a new issue.
It was defamation the entire time just because somebody made it an app rather than a Facebook group doesn’t make any difference. It was always a crap thing to do.
Of course Tea took it to an entirely new level of stupid.
It was potentially defamation when it was just women…talking to one another, too. This seems like a pretty solid case of men looking at something women do to protect each other, and saying “…but what about the men who could be negatively affected in some cases?” I also think the tone in which this is being discussed is pretty revealing about Lemmy’s demographics.
Yeah, because only men are talking about this.
For what it is worth. I am a woman and I still think this app is wrong.
the app is called TEA - it is a gossip vector masquerading as a safety mechanism, and people are making all sorts of claims about innocent people they had a bad date about, including their full name, location, workplace, pictures of their face - and accusing them baselessly in some (or most) instances of violent crimes.
If you can’t see how not only that wouldnt make women safer, but instead is a black mirror episode - there’s something wrong.
People against this app aren’t against women’s safety, and they dont necessarily believe our current systems and protection are adequate - but getting lynched by half a city because of a jaded ex is not a solution and is a crime of its own.
I mean half the posts on similar Facebook groups complain about the men being “narcissists” yeah its a shitty personality trait but thats clearly not a fucking safety issue, its about gossiping and doxxing people.
Considering even the mere accusation can ruin someone’s life? Yes.
The problem isn’t women don’t deserve to be safe, the problem is we cannot just give people powerful weapons with no oversight or burden of proof to be deployed simply because a date didn’t go well.
Facebook or App, the danger is too great
Change the target to any other group and the outrage would be 100-10000 fold bigger.
Try it out, instead of Women rating men, try subbing in various minority groups or races.
Bonus points for the most offensive combinations…
e.g. Russians rating Ukrainians in your area…it can get pretty bad…I can think of many worse combos.
Russians rating Ukrainians
Interesting analogy. You realize you have it backwards, right? Women are the Ukrainians on this scenario.
Agreed, but it is worse the way I put it…
Ah nice.
Time to implement a social score. Those who rate highly have better access to social areas.
Those who rate lower are fucked for the rest of their life.
This sounds like such an amazing idea that has no shortcomings whatsoever!
Edit: /s
How does this app even work?
You sign up and then a while later, your personal information gets leaked to the public. Not sure what its other purpose is.
That’s corporate social media/apps in general. Does this thing basically let people list crappy things that happened to them by specific humans?
It’s basically a slander app, from what I can tell.
Fair point.
You could easily convince me that it was a brilliantly executed honeypot. It’s just too damn poetic.
“It’s a women’s safety app” No it wasn’t. This app was about women’s safety as much as the recent payment processor porn game censorship bullshit was about child safety. This was about slandering men for fun because women love gossip. The app’s name was “Tea.”
Not a single woman who signed up for this app stopped to think, “Here’s a brand new app, just came out, has no track record, no reputation. I don’t know who runs this. I don’t know how they secure their database. I know what they’re asking, they want a picture of my government-issued ID. We’ve spent the last two decades reading news headlines of the pattern “tech company was hacked, 2.2 million users compromised including emails, home addresses and SSNs” on a weekly basis. There hasn’t been a week gone by since Dubya was president that hasn’t happened.”
The women who uploaded pictures of their IDs to some app really had their own safety in mind. Turns out you can short circuit that whole process with hilarious ease if you say things like “women only” and “slander your exes.”
I don’t think I could have constructed a better example as to why all the recent “prove your identity” shit is comprehensively retarded.
Lots of men in this thread real upset about this app pointing out how the majority men are shit
Defaming people without giving them a chance to defend themselves, talk about shit people…
It’s not defamation if it’s true
And its legally actionable libel/slander if false.
Citation of course needed with that one.
The only people who will be listed on the app are people who are either deserving they’ve been on there or people who don’t deserve to be on there but some woman in their lives has decided to inact some vengeance justified or otherwise.
What are you basing the majority of men are shit on? Confirmation bias?
Well im a man. And most men i interact with are casually misandrist, ableist and homophobic. I can’t imagine they behave any better when they’re trying to fuck you
So confirmation bias. Gotcha. That’s generally not a great way to make sweeping generalizations about 50% of the population.
You ever hear that adage about smelling shit wherever you go, maybe check your shoes?
Oh come on, you know how Those People are
It’s an antisocial surveillance system for antisocial people, and creates a(n even more) antagonistic relationship between men and women.
Dating apps have been a disaster for dating, and this is perhaps the worst among them.
Lots of misandrists in this thread framing security failures as sexism against men
deleted by creator
Lots of misandrists in this thread framing security failures as sexism against men
It can be both.
So many problems are caused because society assumes cisgender women are always victims and anything that looks like a man if you look at it long enough is an abuser.
It’s just original Facebook but for women to rate and bully men instead of Mark and his scum bros using it to rate and bully women.
We didn’t like it when Mark did it, why would we like it now?
Well, we know what to bait a honeypot with. “Gossip about/slander men right here! To prove you’re a woman, insert your photo ID, bank details, credit card information, finger prints and retinal scans.”
How many red flags do you need to collect before you get a free cat?
Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.
that’s a great(terrible) idea for a sex trafficking psyop. just get yourself a female spokesperson and make it a platform that gives a voice to women who have survived abuse. they’ll willingly give you all their information on where to find them and their psych profiles on how to manipulate them.
fucked up, but really shows how fucked up apps are in general and how much power we give to them over ourselves.
A more ironic outcome couldn’t have happened
Sounds MAGA level IT and dev.
