Last month, we saw the massive data breach of the “Tea App” — a smartphone app for women to talk about men they don’t like — resulting in over 60 GB of personally identifiable data leaked out to the public. Stuff like selfies and pictures of drivers licenses.
Well, it didn’t take long for a “TeaOnHer” App to appear — with the same basic functionality, except this time for men to talk about women they don’t like.
And, of course, the developer of “TeaOnHer” made the same basic mistake that the “Tea App” made: They permanently stored a ton of personal information. Including, once again, divers licenses.
You can already see where this is going.
Driver’s Licenses Everywhere
Almost as soon as the “TeaOnHer” app went live, writers for TechCrunch went looking to see if they could easily access any of that data. Because wouldn’t that be crazy if a copy-cat app made the exact same kind of security mistakes as the app it was copying?
What TechCrunch found was that it took no more than around 10 minutes for them to begin accessing pictures of drivers licenses of user accounts.
10 minutes!
With a bunch of the usual suspects of bad security being involved: unprotected file storage (in this case, Amazon), public API documentation, and a lack of secured API calls.
Now, unlike the “Tea App” breach — which resulted in massive archives of personal data published all over the web — it isn’t known if these vulnerabilities actually resulted in significant data archives getting out there in the wild.
But, as the writers at TechCrunch put it, “The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did.”
There’s a Lesson Here… But it Won’t Be Learned
Sure, this “hack” of the “TeaOnHer” App was easy — as was the hack of the “TeaApp” before it. Both of those systems were comically insecure.
But, the reality is, no complex online system is truly secure.
Have a website or App which stores (and publishes) user data? It can be hacked.
And, if there is sufficient interest in obtaining whatever data is being stored, not only can it be hacked… but it will be hacked.
The HaveIBeenPwned site, alone, has documented close to 15 Billion (with a B) accounts which have not only been breached… but reported and (often) made available in some way.
And that 15 Billion is only the breached accounts which we know about.
Anyone who works in IT can tell you that the vast majority of data breaches are never discovered. And the majority of those which are discovered… are never disclosed publicly.
Considering that the current population of the Earth is roughly 8 Billion, it’s safe to assume that every single adult on Earth, with an Internet connection, probably has several breached accounts already.
With the frequency, and size, of such data breaches increasing.
Should these Tea Apps have had better security? You bet your tuchus. From the looks of things neither developer spent any significant time trying to implement even the most basic security precautions.
For Pete’s sake, at least try to slow the hackers down a little.
But the real problem here is not the total lack of security — even “good” security can (and will) be overcome.
No.
The real problem is the type of data being permanently stored, in an Internet accessible way, by these services. If a service is likely to be breached (and any significant service is), a key goal is to limit the amount of data which a hacker can gain access to.
Here are a few good rules of thumb when dealing with data being stored on an Internet accessible server:
Do not store any more data, at any given moment, than is 100% necessary.
If previously stored data is no longer needed, delete it. Completely. Not “flagged” for deletion. Actually deleted.
Whatever data you are storing should be encrypted whenever possible.
If sensitive personal data absolutely must be stored, for legal and regulatory reasons, consider physical archives stored in a secure location instead of an Internet connected server.
And, of course, don’t use unprotected (or barely protected) “cloud” file storage like the numbskull developers of these “Tea” apps did. That never ends well.
Simple guidelines which, if followed, could significantly reduce the negative impact of inevitable data breaches.
But, of course, few online services — big or small — will follow such guidelines. They will continue expanding the quantity of data they store on increasingly complex systems.
Which means we’ll see more and more data breaches — containing an ever increasing amount of personal data.
Welcome to the future.
The stupid, stupid future.
