[unhappy_meaning]

> Images of these driver’s licenses are publicly accessible web addresses, allowing anyone with the links to access them using their web browser.

> TechCrunch also identified a potential second security issue, in which an email address and plaintext password belonging to the app’s creator, Lampkin, was left exposed on the server

> While the app requests IDs and selfies from its users to verify their identities — a process that is not automatic — users can access a “guest” view of the app without signing in.

Is this just bad development? Are these just things could be missed by any developer or team?

I'm curious as someone who would like to create side projects with users (albiet not dubious ones these like apps) but I'm always afraid of a glaring security flaw that would be basic 101 of web development.

[siva7]

> Is this just bad development? Are these just things could be missed by any developer or team

This couldn't be missed by competent developers, in both cases (tea and teaonher incidents). I'm not trying to be harsh, but i wouldn't call such teams competent and i'm fully aware that such bad teams exist. Also with the advent of a.i./vibe coding, people with no qualifications and/or experience in software development are now trying to sell / fake themselves as professional developers which also leads to such catastrophic security situations. You wouldn't hire a barista to build a bridge from a 2-week bridge building bootcamp but a licensed civil engineer, yet in software world this idea doesn't seem out of the order.

[01HNNWZ0MV43FF]

> Is this just bad development? Are these just things could be missed by any developer or team?

As the saying goes, "Human error is not a root cause". A good Five Whys would eventually hit something:

Why did the DL pictures leak? Because the images were accessible via public URL. Why were they accessible that way? Because nobody on the team checked they were not. Why did nobody check?

Maybe not enough red team thinking was employed. It's easy to make an app and say "Look we have a sign-in screen, it's secure", but you need to think from the attacker's perspective and make sure every route to every piece of sensitive data is actually secure.

[unhappy_meaning]

> ... you need to think from the attacker's perspective and make sure every route to every piece of sensitive data is actually secure.

This is almost "paralyzingly" scary but to not think about it at all is something I cannot fathom from the developers who made these apps.

Doing some more digging into these two "CEOs" of Tea and TeaOnHer. The TeaOnHer CEO is a Criminal Justice graduate from UMD with some comments about using claude.ai and the Tea CEO looks like he took a 6 month coding bootcamp at UC Berkeley. I don't want to dog on their background because I also don't have a CS degree but man...

[NoMoreNicksLeft]

Your explanation is too simplistic. I've found magazine subscription pages where the link to the pdf is display:none in css. (I downloaded their entire back catalog.) This isn't that they missed a few routes to files when securing things, but that they are utterly clueless. Invariably, such software projects employ a number of contractors who for whatever reason can barely cobble together the functionality that is repeatedly demanded by the clients, let alone any of the common-sense features that these people fail to realize that they must also nag for.

[OptionOfT]

>> Images of these driver’s licenses are publicly accessible web addresses, allowing anyone with the links to access them using their web browser.

Not justifying it, but many applications consider the uniqueness of the URL enough protection to prevent discovery.

> Is this just bad development? Are these just things could be missed by any developer or team?

It's not knowing them. And when you vibe-code something, and don't prompt for it, it's not gonna do it.

[gitremote]

> Not justifying it, but many applications consider the uniqueness of the URL enough protection to prevent discovery.

Yes, that's why it's the #1 most common web security vulnerability in production code:

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

"Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)"

What vibe coding promoters don't understand is that the average web developer hasn't learned web security 101. Proof: HN commenter points out that "A01:2021 – Broken Access Control" is completely normal in production code.