this post was submitted on 31 Jul 2025
460 points (99.4% liked)

Technology

76339 readers
4155 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] Armand1@lemmy.world 177 points 2 months ago (13 children)

The company should be sued into the ground. This is horrendous

[–] andyburke@fedia.io 89 points 2 months ago (2 children)

In any other engineering discipline this would he negligence.

[–] FauxLiving@lemmy.world 41 points 2 months ago* (last edited 2 months ago)

It is negligence, but information workers have very little regulation when it comes to handling personal data (outside of specific fields, like healthcare and finance).

I say this as an information worker who handles a lot of personal data. Worst case scenario, I get fired and can't use them as a reference. Unless I'm intentionally stealing data and using it for crimes there's no risk of criminal penalties.

We needed privacy laws 20 years ago but the tech bros assured everyone that it would be fine and for a long time they were mostly responsible with our data. But now we're well into the enshittification of the Internet and the lack of regulation is allowing these kinds of harms to become common.

Though, in a sane regulatory framework Tea wouldn't be allowed to exist in the first place. The entire point of the site is to doxx people and share personal details about them without their consent.

[–] Taldan@lemmy.world 9 points 2 months ago (1 children)

At least some of the negligence is on Google, for the atrocious default security settings in Firebase

The vulnerability is called hospital gown because they leave the back end wide open by design. It's not even a traditional vulnerability, since it's technically working as intended

[–] echodot@feddit.uk 9 points 2 months ago

In fairness if you leave Firebase in its default settings it won't shut up about it.

You get warnings on the website, and constant emails telling you that you're being a pillocked.

[–] semperverus@lemmy.world 43 points 2 months ago* (last edited 2 months ago) (21 children)

Both the company, for failing to protect its users; and a large majority of its users, for doxxing and libel.

Its unfortunate that it happened this way, but now the people who are being libeled against and doxxed have the ability to find out about it where they didn't before.

load more comments (21 replies)
[–] FauxLiving@lemmy.world 33 points 2 months ago

I mean, it's on brand. The doxxing app is successfully doxxing people...

[–] aceshigh@lemmy.world 18 points 2 months ago (2 children)

You get 89 cents in the settlement. Do you prefer to get a direct deposit or a check?

load more comments (2 replies)
load more comments (9 replies)
[–] blitzen@lemmy.ca 168 points 2 months ago (13 children)

Everyone is talking about the poor security practices, which is fair. Or they are talking about the appropriateness of such an app existing, which is also fair.

But the immediate take away should be, especially in today’s political environment, that we cannot and should not trust sensitive data that leaves our device, particularly if you are of any kind of non privileged group.

[–] eldebryn@lemmy.world 94 points 2 months ago (1 children)

the entire UK government disliked this comment

[–] Korhaka@sopuli.xyz 28 points 2 months ago* (last edited 2 months ago) (2 children)

The UK government can shove it up their fucking arse.

Sincerely, A UK citizen.

load more comments (2 replies)
[–] DreamlandLividity@lemmy.world 13 points 2 months ago

This has been the case for a long time, so suddenly you have apps like Tea that encourage you to upload info of other people. So now even the few that take care not to upload their info can be nicely monitored. And the Gestapo does not even need to pay their informants for it.

load more comments (11 replies)
[–] FauxLiving@lemmy.world 74 points 2 months ago
[–] gravitas_deficiency@sh.itjust.works 52 points 2 months ago (2 children)

This is why you don’t vibe code a webservice

[–] FauxLiving@lemmy.world 26 points 2 months ago (5 children)

This wasn't vibe coding, it's incompetant devops.

You have to go out of your way to make these buckets public like this. Several giant "Everyone will have access to this" warnings, re-authentication, a permanent warning symbol on the dashboard AND regular e-mails reminding you that you have a public bucket. I don't even think you can do this via the API, it requires a human to manually make this setting.

I'm guessing that they couldn't figure out how to configure the Access Control Lists and just made it public so that it would work. That's fine in a test environment, without any user data but it's pure incompetence to have a production system setup this way.

[–] gravitas_deficiency@sh.itjust.works 9 points 2 months ago (5 children)

I’d say it’s not fine in a test environment, because then your test env S3 bucket is publicly available.

load more comments (5 replies)
load more comments (4 replies)
load more comments (1 replies)
[–] Ganbat@lemmy.dbzer0.com 47 points 2 months ago* (last edited 2 months ago)

They hired an investigator? Any investigator worth a shit is gonna say that they're liable for failing to secure private data they collected, ~~as well as for retaining data they were apparently legally obligated to delete~~

Edit: Misread that segment, they actually presented it as if they were deleted to users, but apparently retained them to comply with vague "law enforcement requirements."

[–] Truscape@lemmy.blahaj.zone 41 points 2 months ago (1 children)

"Sir, we've already been breached once!"

"But what about second breach?"

[–] FerretyFever0@fedia.io 12 points 2 months ago

Now there are two of them. A second breach has hit the app.

[–] elvis_depresley@sh.itjust.works 36 points 2 months ago

This is why age verification is dangerous. If a company can just forget to delete you ID picture, it will happen...

[–] Logical@lemmy.world 34 points 2 months ago

On the one hand, sucks that a leak like this even happens anymore, no one deserves to be doxxed like that. On the other hand, I struggle to feel bad for the users of the doxxing app getting doxxed in return...

[–] magnetosphere@fedia.io 30 points 2 months ago (2 children)

The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification.

This sounds irresistible for angry misogynists. The only thing that surprises me about this is that it didn’t happen earlier.

[–] Fondots@lemmy.world 21 points 2 months ago (3 children)

The only thing that surprises me about this is that it didn’t happen earlier.

I'm way out of the dating game at this point, and also a man, so it's very likely that I'm just out of the loop

But I hadn't heard anything about this app until a couple weeks ago when I saw an article or two about it

Then about a week later this happened

So I kind of feel like maybe most of the assholes who did this were similarly unaware of it until it got some exposure and then it was on their radar.

I would certainly imagine that most women using this app probably weren't telling the angry misogynists in their lives about this app.

load more comments (3 replies)
load more comments (1 replies)
[–] panda_abyss@lemmy.ca 25 points 2 months ago (1 children)

At least they’re honest, they did spill tea.

A whole lot of tea.

load more comments (1 replies)
[–] the_riviera_kid@lemmy.world 23 points 2 months ago (8 children)

"Stop attacking us guys we just want to do a little misandry" -Tea app

load more comments (8 replies)
[–] guyoverthere123@lemmy.dbzer0.com 19 points 2 months ago (5 children)

Don't want your information on the internet? don't upload it to anyone on or over the internet, it really is a fucking simple concept.

[–] rottingleaf@lemmy.world 11 points 2 months ago

Fucking simple concept which major businesses are economically compelled to gaslight you out of.

So the problem is in economics.

Each such business provides all of their infrastructure, expensive, good and well-maintained (Google has its own Internet cables), which is not separated from their application services.

So one provider of infrastructure (in the wide sense, solving all the problems) usually serves many users of their own application and many application providers (I'm inventing terms) without their own infrastructure.

While user of an application generally can't switch infrastructure providers as they want. It's kinda technically fine and normal (there are NTP server pools, one could in the olden days search many FTP servers for the needed file, and so on), but doesn't happen IRL. Because there's no standard way for pooling resources and tracking them, and there's no applications using it.

So - the data model (cryptographic global person identities, globally identified by some derived hash posts (a post is, say, datetime, author, some tags, content, hash of it all, signatures, I dunno) (creation of a group or a vote or a changing of privileges or moderation can be a post too), for forming a representation for the user a group is "replayed" in the right order to know which user had a privilege to, say, moderate posts etc ; one can also generate group snapshots from time to time when replaying thus, by the group owner identity, to make it faster) is orthogonal to the service model. That's important so that it were fit for alternative service models, like sneakernet or offline-enabled mesh or anything delay-tolerant. Or at least a p2p kademlia DHT-based service model.

The service model - the core of it all is a tracker service. It works like a tracker in BitTorrent (or maybe Hotline, but that's old), except with signed announces, and it tracks search and storage and relay and maybe even computation services (which announce themselves to it). A search service gets storage services from trackers and indexes their contents (one can even announce objects to a search service similarly to trackers, might be better) to search by tags. A storage service just stores objects and yields them. A relay service must be harder, you the user must somehow announce (to trackers too?) which relay service you are registered on at this moment, a bit like SIP or like SMTP (only very temporary), so that messages to that relay service would reach you.

The client would just request a bunch of trackers for all things they need - to search for stuff for services, then request these services and merge their results. Forming a group representation is "searching for stuff" too, and then getting the objects referenced by index service responses from a bunch of storage services. To notify another user that you've sent them a message one can use a relay service.

I think it's easy to see that it's kinda primitive other than requiring proper cryptography. And it's a global system working over the Internet (except no, it doesn't exist). Similar to NOSTR, but I think better due to separation of data model and service model.

The advantages of this - one still can make any kinds of applications using such common infrastructure, but the resource-based feudalism we have this might hurt. Similar to how BitTorrent keeps working despite quite a few people not liking it.

The disadvantages - well, stuff will get lost, there are paid BT trackers but no paid BT peers, while in such a system paid storage and other services would be a thing (still much better than Facebook).

[–] INHALE_VEGETABLES@aussie.zone 11 points 2 months ago

And live in a cave! 😬

It would be nice if also they secured data too.

[–] fafferlicious@lemmy.world 10 points 2 months ago

don't upload it to the internet!

or use a smart phone

or corporate searches that track you

or go to any website with ads - they track you

hell don't even search the internet! your ISP tracks dns requests

or use a modern tv that tracks what is on your screen

or you can do custom phone from - just unlock the bootloader, root it, and install! then just setup pihole/adguard/self-host everything

it's simple, for privacy just go live in a yurt in the woods to not be tracked 24/7

[–] DreamlandLividity@lemmy.world 9 points 2 months ago* (last edited 2 months ago)

Posted on an article about an app encouraging different users to upload info about you without your consent. Yes, really simple.

load more comments (1 replies)
[–] Tollana1234567@lemmy.today 17 points 2 months ago (1 children)

its like the ashley madison drama, which exposed cheating.

[–] captain_aggravated@sh.itjust.works 16 points 2 months ago (1 children)

I was today years old when I learned that Ashley Madison is still in operation

load more comments (1 replies)
[–] Soleos@lemmy.world 11 points 2 months ago (1 children)

If you're out of the loop, I found this article fairly helpful for a primer on the issues. It's CNN, but I can't be arsed to find a more kosher source.

https://www.cnn.com/2025/07/25/us/tea-app-dating-privacy-cec

[–] queueBenSis@sh.itjust.works 13 points 2 months ago (2 children)
load more comments (2 replies)
[–] INHALE_VEGETABLES@aussie.zone 11 points 2 months ago (1 children)
load more comments (1 replies)
[–] lmmarsano@lemmynsfw.com 9 points 2 months ago (4 children)

Was this app made by misogynists? Did they "accidentally" fuck up on purpose?

[–] phoenixz@lemmy.ca 14 points 2 months ago

No, the direct opposite

Doesn't matter what side you're on, when you're extremist, you're extremist

load more comments (3 replies)
load more comments
view more: next ›