TeaOnHer App Exposes Users' Personal Data and Driver's Licenses

TeaOnHer, a recently launched iOS application positioned as a male counterpart to the controversial "Tea" app, has been found to harbor significant security vulnerabilities, leading to the exposure of sensitive user data. This revelation comes shortly after the app ascended to prominence, ranking No. 2 among Lifestyle apps on iOS and No. 17 across all free apps, surpassing platforms like Instagram and Netflix.

TechCrunch has confirmed at least one critical flaw that grants unauthorized access to user data. This includes usernames, associated email addresses, and crucially, images of government-issued driver’s licenses and selfies uploaded for account verification. These identity documents are publicly accessible via web addresses, allowing anyone with the direct links to view them. The security lapse impacts approximately 53,000 TeaOnHer users who have registered or submitted identification.

Further investigation by TechCrunch uncovered a potential second security issue: the exposure of an email address and plaintext password belonging to Xavier Lampkin, the founder and CEO of Newville Media Corporation, the developer behind TeaOnHer. These credentials, found on the server, appear to provide access to the app’s administrative panel, posing a severe risk for broader system compromise. While TechCrunch refrained from using these credentials due to legal implications, their exposure underscores critical lapses in security posture.

The app's controversial nature extends beyond its security flaws. Designed for men to share information and photos of women they have allegedly dated, TeaOnHer’s "guest" view immediately revealed troubling content, including unsolicited images and posts containing derogatory remarks and unverified accusations. This content raises significant ethical concerns regarding consent and user safety, mirroring some of the controversies surrounding the "Tea" app, which itself faced a backlash over a publicly exposed database and private messages.

Despite the gravity of these findings, the developer did not respond to TechCrunch's inquiries regarding responsible disclosure. This lack of communication, combined with the app's rapid popularity, necessitates this public disclosure with limited technical details to mitigate the risk of malicious exploitation while alerting the user base to the inherent dangers of using the application.