[01HNNWZ0MV43FF]

> Is this just bad development? Are these just things could be missed by any developer or team?

As the saying goes, "Human error is not a root cause". A good Five Whys would eventually hit something:

Why did the DL pictures leak? Because the images were accessible via public URL. Why were they accessible that way? Because nobody on the team checked they were not. Why did nobody check?

Maybe not enough red team thinking was employed. It's easy to make an app and say "Look we have a sign-in screen, it's secure", but you need to think from the attacker's perspective and make sure every route to every piece of sensitive data is actually secure.

[unhappy_meaning]

> ... you need to think from the attacker's perspective and make sure every route to every piece of sensitive data is actually secure.

This is almost "paralyzingly" scary but to not think about it at all is something I cannot fathom from the developers who made these apps.

Doing some more digging into these two "CEOs" of Tea and TeaOnHer. The TeaOnHer CEO is a Criminal Justice graduate from UMD with some comments about using claude.ai and the Tea CEO looks like he took a 6 month coding bootcamp at UC Berkeley. I don't want to dog on their background because I also don't have a CS degree but man...

[NoMoreNicksLeft]

Your explanation is too simplistic. I've found magazine subscription pages where the link to the pdf is display:none in css. (I downloaded their entire back catalog.) This isn't that they missed a few routes to files when securing things, but that they are utterly clueless. Invariably, such software projects employ a number of contractors who for whatever reason can barely cobble together the functionality that is repeatedly demanded by the clients, let alone any of the common-sense features that these people fail to realize that they must also nag for.