crack heads, meth heads, what’s the diff
dev came from marketing. pictures wouldn’t show up with all that security enabled.
At this point I think the women using it got psyopped
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. “Check out this hack to increase your productivity.”
- Accessing something you shouldn’t. “They hacked into the database.”
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn’t is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it’s still burglary.
In a legal context there’s also the concept of a “reasonable expectation of privacy”. The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I’m not saying what these ass holes did was right, I’m saying that the company weakened their legal position by not protecting the data.
Terrible analogy. You have permission to read books in a library.
Forgetting to lock your door isn’t granting permission to people enter your house, and it doesn’t grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn’t imply granting permission to enter your house.
Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.
Then how do I know what I am not allowed to access?
In this specific case there was no (formal) indication that the data was out of bounds.
I can’t put 10 pdf files in a web dir and claim 5 are public and 5 are private, then charge you with a crime for viewing them.
You can’t have “unauthorized access” when there’s no authorization at all
If I’m clicking around on a website and find a gallery of images, that’s something I’m supposed to have access to. If I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to. If I’m doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they’d be fine. But it’s obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it’s obvious they had malicious intent and it’s obvious they were accessing information they weren’t supposed to access.
A crime being really easy to commit doesn’t make it no longer a crime. Many times I’ve seen things that I could easily steal, but I don’t steal things when I have an opportunity to do so because a) stealing is wrong and b) saying “they just left this thing out there in a place anyone could steal it” would not be any kind of legal defense. Simply because you’re presented an opportunity to do a crime doesn’t mean it’s acceptable to do a crime, both legally and morally speaking.
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I’d go one step further and add: it’s like promising others you’ll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
Yeah the internet by design is a public space, and we must be responsible and treat it as such when handling sensative data.
Again, it was very wrong for people to take that data and especially to post like that.
The company also has to do their part and produce at least some kind of barrier to the data.
Even using UUIDs and making sure the data wasn’t query-able would have been something.
The web is a public space by design. The internet? I don’t think you can make that case well. Https and all that. Private infra abounds.
Thank you! I feel like I’m taking crazy pills reading people’s reactions to this. And if it was a business instead of your house and it was customer data you weren’t protecting you should still be in trouble too. It’s like people think only one side can be in the wrong in this or that because the data wasn’t secured and in the public that gives them free reign to post it everywhere. I wonder how those people would feel if their addresses were leaked. Afterall, if you’re a homeowner your name is attached to the property and is publicly accessible.
No, this was a data leak. The word “hack” has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
It can be both. The company can be at fault for not keeping something secure while the people who steal the data are at fault for stealing data. Data leaks and hacks are not mutually exclusive.
Based on this comment alone, I am 100% sure that you are not a lawyer.
I don’t claim to be, but you can’t deny the difference the wording would make to a jury.
😂
What is the Tea hack?
An app called Tea™ was marketed as a safespace for women and used government issued IDs as a way to verify users.
4Chan users leaked all of the IDs onto the larger internet.
Wow what a fuckin shitshow. I have so many follow-up questions
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
What big advantages does pathlib provide? os.path works just fine
- Everything is in one library which offers consistency for all operations.
- You can use forward slashes on Windows paths, which makes for much better readability.
- You can access all the parts of a pathlib object with attributes like .stem, .suffix or .parent.
- You can easily find the differences between paths with .relative_to()
- You can easily build up complex paths with the / operator (no string additions).
Just off the top of my head.
if you don’t need those, why burden the program with another dependency?
It’s in the standard library, just like os or shutil.
deleted by creator
And what’s with the string addition? Never heard of f-strings or even .format()?
Make a PR
Be the change you want to see in the world.
This is hilarious
I absolutely despise Firebase Firestore (the database technology that was “hacked”). It’s like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
Ah yes, Firebase. The Google version of leaking all your company data through a public S3 bucket
I remember when they launched and started pushing it in the Android dev community. Actually won a Google Pixel at a Firebase sponsored hackathon in my town…after that I never touched Firestore again. Using that ACL language to restrict access, you could see the massive foot gun from a mile away
It’s like people learn how to make a phone app in React Native or whatever, but then come to the shocking and unpleasant realisation that a data-driven service isn’t just a shiny user interface - it needs a backend too.
But they don’t know anything about backend, and don’t want to, because as far as they are concerned all those pesky considerations like data architecture, availability, security, integrity etc are all just unwanted roadblocks on the path to launching their shiny app.
And so, when a service seemingly provides a way to build an app without needing to care about any of those things, of course they take it.
And I get it, I really do. The backend usually is the genuine hard part in any project, because it’s the part with all the risk. The part with all the problems. The place where everything can come crashing down or leak all your data if you make bad decisions. That’s the bothersome nature of data-driven services.
But that’s exactly why the backend is important, and especially the part you can’t build anything decent without thinking about.
I think it’s less about the tech picked and more about developers with no sense of security and a poor understanding of networking. I’ve seen far too many web applications where the developer needed some sort of database behind it (MySQL, PostGres, MSSQL) and so they stood up either a container or entire VM with a public IP and whatever the networking layer set to allow any IP to hit the database port. The excuse is almost always something like, “we needed the web front end to be able to reach the database, so we gave the database server/container a public IP and allowed access”. Which is wonderful, right up until half of the IP addresses in Russia start trying to brute force the database.
I agree that this is ultimately a problem with developers lacking security knowledge and general understanding, but my issue with Firestore specifically is that it is a powerful tool that, while it can be adopted as part of a carefully considered tech stack, lends itself most naturally towards being a blunt force instrument used by these kinds of developers.
My main criticism of Firestore is that it offers a powerful feature set that is both extremely attractive to amateur or constrained developers while simultaneously doing a poor job of guiding said amateurs towards creating a secure and well designed backend. In particular, the seemingly expected use case of the technology as something directly interfaced with by apps and other clients, as evidenced by the substantial support and feature set for this use case, is the main issue. This no-code no-management client driven interaction model makes it especially attractive to these developers.
This lack of indirection through an API Gateway or service, however, imposes additional design considerations largely delegated to the security rules which can easily be missed by a beginner. For example:
- Many examples of amateurs take an open-by-default approach, only applying access and write restrictions where necessary and miss data that should be restricted
- Some amateurs deploy databases with no access or write restrictions at all
- There is no way to only allow a “view” of a document to a request, instead a separate document and security rules containing the private fields needs to be created. This can be fairly simple to design around but seems to be a bit of a “gotcha”, plus if you have similar but non identical sets of data that needs to be accessible by different groups it must be duplicated and manually synchronized.
- Since there is no way to version data models, incompatible changes require complicated workarounds or an increasingly complicated deserialization process on the client side (especially as existing clients continue to write outdated models).
- Schema validation of data written by clients to the database is handled by security rules, which is seemingly unintuitive or missed by many developers because I’ve seen plenty of projects miss it
- If clients are writing data directly, it can become fairly complex to handle and subsequently maintain their contributions, especially if the aforementioned private data documents are required or the data model changes.
All of these pitfalls can be worked around (although I would still argue for some layer of indirection at least for writes), but at this point I’ve been contracted to 2 or 3 projects worked on by “professionals” (derogatory) that failed to account for any of these issues and I absolutely sick to death of it. I think a measure of a tools quality is whether it guides a developer towards good practices by design and I have found Firestore to completely fail in that regard. I think it can be used well, and it is perfectly appropriate for small inconsequential (as in data leaks would be inconsequential) single developer projects, but it almost never is.
sounds like firebase itself is a hack.
I’m honestly embarrassed by my fellow devs more often than not these days.
What the fuck happened to craftsmanship? Or taking pride in your work?
oh right, techbro startup culture garbage ended it.
Peak Vibe Coding results.
while True:
Jesus Christ
There’s nothing wrong with manually breaking a loop.
An infinite loop used to be such a rank code smell back when I was a junior, specifically because I was a noob and made giant loops like 50 lines long and invariably didn’t plan the exit condition right, and then my computer would lock up and I would have to hard power cycle.
But yeah, now it’s it’s a totally acceptable little pattern imho.
There’s nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
Well these people probably don’t wash their hands so knife fork is the most sanitary way.
You know that’s not the Tea code, but the downloader, right?
Other reports state the Tea backend was Vibe Coded: https://www.ainvest.com/news/tea-app-data-breach-exposes-72-000-users-ai-generated-code-security-lapse-2507/
Sure, it might be, I’m not saying it isn’t. All I’m saying is: the screenshot shows the code someone wrote to download the images. It’s not part of the Tea codebase.
They’re also not using requests very efficiently, so who knows.
eh
Believe it or not a lot of hacking is more like this than you think.
Social engineering is probably 95% of modern attack vectors. And that’s not even unexpected, some highly regarded computer scientists and security researchers concluded this more than a decade ago.
When the technical side reaches a certain level of security, the humans become the weakest link.
*if
We reached that part a long time ago.
Clearly the authors of this app did not. Hence “if.”
I work in security and I kinda doubt this. There are plenty of issues just like what is outlined here that would be much easier to exploit than social engineering. Social engineering costs a lot more than
GET /secrets.json.There is good reason to be concerned about both, but 95% sounds way off and makes it sound like companies should allocate significantly more time to defend against social engineering, when they should first try to ensure social engineering is the easiest way to exploit their system. I can tell you from about a decade of experience that it typically isn’t.
https://www.infosecinstitute.com/resources/security-awareness/human-error-responsible-data-breaches/
You’re right. It’s 74%.
https://www.cybersecuritydive.com/news/clorox-380-million-suit-cognizant-cyberattack/753837/
It’s way easier to convince someone that you are just a lost user who needs access than it is to try to probe an organization’s IT security from the outside.
This is only going to get worse with the ability to replicate other’s voices and images. People already consistently fall for text message and email social engineering. Now someone just needs to build a model off a CSO doing interviews for a few hours and then call their phone explaining there has been a breach. Sure, 80% of good tech professionals won’t fall for it, but the other 20% that just got hired out of their league and are fearing for their jobs will immediately do what they are told, especially if the breach is elaborate enough to convince them it’s an internal security thing.
Yes social engineering can be incredibly effective. I completely agree, but there is a bit of an obsession with it these days and imo it’s over indexed, because at the end of the day the type of social engineering detailed in that report typically just provides access.
In some cases, the target is important enough and has enough organizational power that accessing the network as them is sufficient, but that’s not often the case. What that means is that in those other cases social engineering (which in that report you cited is often just phishing) is providing, typically, internal network access. An attacker will have to move through the network and exploit software typically to continue their attack. There are many points in this chain that the weakness lies in software or configuration. If effort was placed on making those systems better it would likely see better results than hyper focusing on the social engineering, which is significantly more difficult to stop, especially with all of the things you mentioned on the horizon.
My point is then that even if it is a part of 74% of breaches, according to Verizon, it’s not necessarily sufficient and is often paired with software level exploits.
And I know this because my company does plenty of red teaming, and we use social engineering but at the end of the day the more interesting result comes from a software exploit or just abusing a weak configuration.
You are right and what some people miss is that social engineering being the vector to gain foothold doesn’t mean that it was sufficient to allow the breach. Almost always you need some other weakness (or a series of them). Except when the weaknesses are so had that you don’t need a foothold at all (like this case), or when the social engineering gives you everything (rare, but you might convince you someone to give you access to data etc.).
A whole separate conversation is deserved by how effective (or not) social engineering training is. Quite a few good papers about the topic came out in the last fee years.
This has been the case for 40+ years. Humans are almost always the weakest link.
we built this shit. thus we are always to blame.
The percentage is closer to 75% than 95%.
If I was a hacker, I would just get a job as a night cleaning person at corporate office buildings. And then just help myself to the fucking post-it notes with usernames and passwords on them.
Security by obscurity.
this man ssh’d in on a five-digit port
I think that’s less about “hacking” and more about modern day devs being overworked by their hot-shit team lead and clueless PMs and creating “temporary” solutions that become permanent in the long run.
This bucket was probably something they set up early in the dev cycle so they could iterate components without needing to implement an auth system first and then got rushed into releasing before it could be fixed. That’s almost always how this stuff happens; whether it’s a core element or a rushed DR test.
modern day devs being overworked
And then there is meningspunktet.dk which had all the time in the world to do whatever they wanted, and even get their hosting paid for by a university. They still leaked everyones email, phone, full legal name and location on day one and only fixed it because I pointed it out.
Thanks for the writeup - I can’t believe they claimed anything about keeping data safe while building the website so poorly…
Many years ago, I discovered that my then-employer’s “home built” e-commerce system had all user and admin passwords displayed in plaintext at home/admin/passwords.
When I brought this to the attention of leadership, they called the “developer” in and he said “oh, well, that’s IP locked, so no one on the web can access it!” When I pulled it up on my phone, he insisted my phone was on the work WiFi, despite it being clearly verifiable that was not the case. (The same work WiFi that had an open public connection, which is the one my phone would have been on, if it were on it…)
He did fix that, but many other issues remained. Eventually a new COO hired someone competent as his ‘backup’, replaced our website and finally suggested he pursue other employment opportunities before he could no longer voluntarily pursue them. (There was concern he might sabotage.)
Shodan lists 100’000s of publicly accessible security cameras.
This reminds me of how I showed a friend and her company how to get databases from BLS and it’s basically all just text files with urls. “What API did you call? How did you scrape the data?”
Nah man, it’s just… there. As government data should be. They called it a hack.
ah yes, the forbidden curl hack
AI just enables the shit programmers to create a greater volume of shit
My favorite one I’ve seen so far was “AI can take a junior programmer and make them a 10x junior programmer.”
I’ll tape this to my office door.
I remember when a senior developer where i worked was tired of connecting to the servers to check its configuration, so they added a public facing rest endpoint that just dumped the entire active config, including credentials and secrets
That was a smaller slip-up than exposing a database like that (he just forgot that the config contained secrets) but still funny that it happened
That’s not a “senior developer.” That’s a developer that has just been around for too long.
Secrets shouldn’t be in configurations, and developers shouldn’t be mucking around in production, nor with production data.
That’s just a senile developer
Yeah the whole config thing in that project was an eldritch horror of a legacy, too ingrained in both the services and tooling to be modified without massive rewrites
I would have put IP address access restrictions on that at the very least. I may have even done something like that more than once for various tools in the past.
That way it acts completely open to people (or other servers) in the right places and denies all knowledge to anything else.
What was the BASE_URL here? I’m guessing that’s like a profile page or something?
So then you still first have to get a URL to each profile? Or is this like a feed URL?
It’s a public firebase bucket
Oh Jesus
That should be criminally negligent.
🤦♂️
Possibly from the decompiled APK. 404media reported that they found the same URL as the posted one in the APK (archive link).
Securing the db is more of an ops thing.
