A rival Tea app for men is leaking its users’ personal data and driver’s licenses

A newly launched dating app, TeaOnHer, designed as a counterpart to the controversial women’s safety app Tea, is reportedly exposing its users’ sensitive personal information, including government-issued identification and selfies. TechCrunch has confirmed significant security vulnerabilities within the app, raising serious privacy concerns for its user base.

TeaOnHer emerged on the Apple App Store this week, positioning itself as a platform for men to share information about women they have dated. This app is a direct response to the viral app Tea, which allows women to post details about men they have encountered. Tea, advertised as a safety tool for women and boasting over 6 million users, draws parallels to “Are we dating the same guy?” Facebook groups. However, Tea itself has faced considerable controversy due to the unverified nature of claims made on its platform.

The scrutiny on the Tea ecosystem intensified recently after reports surfaced detailing security breaches affecting the original Tea app. Users’ personal data, including approximately 72,000 images comprising selfies and photo IDs submitted for verification, were reportedly found in a publicly exposed database. A subsequent hack further compromised the app by exposing over 1 million private messages, leading the app to disable its messaging functionality.

TeaOnHer, which has rapidly climbed to the No. 2 spot among Lifestyle apps on iOS and is currently ranked No. 17 overall among free apps, appears to have mirrored Tea’s own App Store description language. However, the app has inherited, or developed, its own critical security flaws.

TechCrunch’s investigation has uncovered at least one critical vulnerability in TeaOnHer that grants unauthorized access to user data. This includes usernames, associated email addresses, driver’s licenses, and selfies uploaded by users. Disturbingly, images of these driver’s licenses are accessible via publicly available web addresses, meaning anyone with the direct link can view them through a web browser.

In one instance, TechCrunch observed a list of posts on TeaOnHer that were appended with users’ email addresses, display names, and self-reported locations. The publication noted that details of the bugs are being withheld to prevent exploitation by malicious actors. The app’s developer did not respond to requests for information on how to report these flaws, prompting TechCrunch to publish the findings with limited technical details due to the app’s current popularity and the inherent risks for its users.

TeaOnHer was developed by Newville Media Corporation, with Xavier Lampkin identified as its founder and CEO. TechCrunch reported identifying at least one TeaOnHer user record associated with Lampkin’s own data, suggesting even the app’s creator may not be immune to the security lapses.

The security oversights affect an estimated 53,000 users who have signed up or shared identity documents with TeaOnHer. Beyond the personal data exposure, TechCrunch also identified a potential second security issue where an email address and plaintext password belonging to the app’s creator, Lampkin, were left exposed on the server. These credentials appeared to grant access to the app’s “admin” panel, highlighting the risks of inadvertently exposed administrative access.

Adding to the concerns, the content within TeaOnHer itself is problematic. While the app requires IDs and selfies for verification, users can access a “guest” view without logging in. This guest mode reportedly displayed images of the same woman multiple times under different names, possibly as spam, with no clarity on consent. Other posts shared users’ photos and names alongside derogatory comments, including accusations of spreading sexually transmitted infections.

The app’s current popularity, evidenced by its high rankings on the App Store, underscores the urgency of addressing these security and privacy issues for its large user base.