> Images of these driver’s licenses are publicly accessible web addresses, allowing anyone with the links to access them using their web browser.
> TechCrunch also identified a potential second security issue, in which an email address and plaintext password belonging to the app’s creator, Lampkin, was left exposed on the server
> While the app requests IDs and selfies from its users to verify their identities — a process that is not automatic — users can access a “guest” view of the app without signing in.
Is this just bad development? Are these just things could be missed by any developer or team?
I'm curious as someone who would like to create side projects with users (albiet not dubious ones these like apps) but I'm always afraid of a glaring security flaw that would be basic 101 of web development.
As the saying goes, "Human error is not a root cause". A good Five Whys would eventually hit something:
Why did the DL pictures leak? Because the images were accessible via public URL. Why were they accessible that way? Because nobody on the team checked they were not. Why did nobody check?
Maybe not enough red team thinking was employed. It's easy to make an app and say "Look we have a sign-in screen, it's secure", but you need to think from the attacker's perspective and make sure every route to every piece of sensitive data is actually secure.
This is almost "paralyzingly" scary but to not think about it at all is something I cannot fathom from the developers who made these apps.
Doing some more digging into these two "CEOs" of Tea and TeaOnHer. The TeaOnHer CEO is a Criminal Justice graduate from UMD with some comments about using claude.ai and the Tea CEO looks like he took a 6 month coding bootcamp at UC Berkeley. I don't want to dog on their background because I also don't have a CS degree but man...