Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
Right, "a pox on both their houses". The leakers, the people using the app, the men, the women, all seem gross. There are innocent men and women swept up in this, but it just seems like an unsavory neighborhood of the internet that people should avoid.
I don't look down on the leakers any more than I would with any other security breach being released (I certainly didn't hear people using this same language of disgust over say 4chan being hacked or back in the day when Ashley Madison was hacked).
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
Believe it or not, the Internet has not helped people be better in many cases. Sometimes it enables the worst of our personalities to really shine through.
It used to be so that the Village Crazy got called crazy and either they figured out "shit, I'm crazy" and toned it down or they just lived alone being crazy.
Now the Village Crazy can find others with their exact flavour of crazy online and think that it's cool and everyone is doing it. Then they get deeper and deeper into their crazy, maybe transitioning into other flavours of crazy.
The worst part is that God forbid the genders were reversed and you had a male only app to discuss their relationships.
The app would be banned within a few seconds and 90% of people here would celebrate it.
Majority of people assume the following:
1. Men don't deserve to have private spaces
2. Men can't be victims of abuse (sexual, physical or else)
3. Men don't need to be protected from toxic relationships
4. Women don't need to ask men for consent
Men here refers to all men, including trans men, homosexuals, bisexuals, heterosexuals, etc.
Perhaps, it's time that we have an honest discussion about the realities of living in the world as a man in 2025.
If you're reading this and find my comment in bad taste, or that it frustrates you, I highly encourage that you take sometimes and introspect as to why you feel that way.
There is the AWDTSG social media groups that this app shamelessly took the idea from in an attempt to monetize it, and the thing is that these groups probably serve the exact same function just fine without egregious mistakes in the name of move fast and break things techbro profit like 'exposed s3 buckets a literal child could have found' regardless of anyone's opinion on whether they should exist or not
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
To add something useful, I have been in mental asylums. There are physically dangerous people who aren't full of negative emotions. Most psychiatric patients don't have ill feelings towards others in general, only toward themselves.
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
It's not right, but the real average is a kinda tough situation too, not anyone's fault really. Most family-oriented women aren't waiting til 36, most younger women aren't dating with 10+ year age gap, being divorced makes it harder no matter what the reason is. I have some relatives dealing with this.
I’m waiting for my own EU savior to give me safe passage :D we all have our delusions. Come here on vacation… partially fluent in Spanish, English, and can get by with French, German, Italian, Portuguese.
If someone gets beaten up and left in the street, and, consequently, their wallet is laying right there beside their unconscious body, is it OK for you to take their wallet?
I mean, you can't pretend the wallet isn't right there, for everyone to see, just begging for someone to take it? This is why beatdowns are so wrong? The person who takes the wallet is as much a victim as anyone? Blame society?
This feels like a very dated metaphor. When my older brother introduced me Napster, was I actually rifling through Lars Ulrich’s wallet and shaking out mp3s?
In this case, a clone of the wallet has been preserved for all and sundry to peruse. Is it really wrong as a genuinely curious person not to pretend it isn’t there?
There’s a lot to be said about privacy on the Internet. I don’t think there’s much to be gained by attacking those who, out of genuine curiosity, don’t abide by the same polite fictions as the rest of us. I dont like browsing random strangers’ PII. I tend to hope those who do show due respect. And don’t see any sign of malice in GP.
The information is spread all across the internet. By reading this thread you can see people's "private" conversations. There is no point in judging the people who see the information once its public. Its like walking down the street with no clothes and then getting mad at people who looked.
The information might be viewable from the public, but there was still an expectation of privacy at the start of this. It isn't a naked person walking down the street, it is someone getting naked in their own home and you're peering through their window. Neither the legal status of that action nor other people also being able to see in the window makes it morally justifiable to violate the original expectation of privacy.
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.
in the traditional db world, at least your db creds live on the server-side app.
Firebase's DB (Firestore) being almost default-allow is even funnier, and that was the core functionality from the start, leading to tons of huge breaches over the years. At least a public file bucket is a more valid use case, except I'm guessing they left the "list files" permission open. Edit: Oh, chat DB is probably Firestore, so they left that open too, nice.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
Then how do you live in this world? You cannot avoid providing a copy of your photo ID to someone at some point in your life.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
You can't avoid it, but you can choose to refuse unless there is a legitimate need for it. Very few brick and mortar interactions require it, and at least historically a copy wasn't retained but rather verified on the spot by the business agent.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
If you need to buy Sudafed in a pharmacy you need a drivers license, and I believe they record the information somehow. Presumably online alcohol or marijuana sales would also require some retained evidence that a dl was presented. Maybe car insurance too.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
Any sort of fintech (including crypto exchanges) is going to require photo ID scans (and possibly even some sort of live selfie stream, to make sure the scan isn't from some leak) for KYC reasons.
Seems like Western governments are pushing for this to be the default to interact with almost any website soon enough. You know, to "protect the children." Soon you will have to nope out of the entire internet.
I mean yeah, I'm extremely uncomfortable with commercial ID solutions when accessing government services. When I can I even avoid government websites that have captchas or other third party resources on them but that's becoming increasingly unworkable. It's absurd that I should be required to leak my personal information to third parties in order to make use of a government service (ie something with no competition that I am legally obligated to use).
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
I don't trust dropping any PII/payment-related forms in the mail either, stemmed from a recent experience in which a NYC's DoF had used my information to pay for services on my behalf without authorization.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
Hi all, i'm the security researcher mentioned in the article -- just to be clear:
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
Yes! haha! But hopefully I have a good enough support group and connections that I'll be ok if that happens, I just really wanted to prove that they were not being honest when they said it was data prior to 2024.
Doesn't that Gemini summary gist tie usernames to pretty specific highly personal non-public stories? That seems like a significant violation of ethical hacking principles.
They're anonymous usernames the app had them make and they were told don't use anything shared elsewhere and I googled and there's not any uniquely identifiable people from any of them.
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
It isn’t that straight forward. If you wrote it and it got published, it still counts as published even if you didn’t publish it yourself. The crux of libel is that you made it permanent somehow by writing it.
This is correct. While I’m not sad about Tea’s most toxic users being exposed, there were likely also many innocent women caught in the crossfire who likely just signed up out curiosity.
because news articles and media are putting out this narrative that the site was a "safety tool" that was critical in allowing women to "protect themselves", instead of what it actually was: a gossip and hate-spewing site with zero oversight/recourse for anyone who is being slandered.
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
Say I were single and ended up being slandered on that site, what would happen? Sounds like the users on there are not the kind I'd want near me anyway.
There is no safe amount of attention from people who spend their time sharing 'drama' online. The most extreme example is the kiwifarms lolcow stuff, but even very normal and boring internet 'microcelebs' learn the hard way that some insane person somewhere will decide they don't like you and go out of their way to interfere with your life and relationships.
That's the equiv of saying I don't need privacy because I have nothing to hide.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
<tinfoil>Google is invested in ratcheting up the war behind the sexes, because it atomizes people and makes them prime targets for an upcoming companion AI product.</tinfoil>
> picking sides to induce the least harm to bottom line.
This is why Google has a large number of scam dating apps on its app store. The apps I refer to are near/complete scams with 99% fake profiles and 1% lured, like the phishers of Myanmar, only these are Western. They bring big money in.
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
Now the Village Crazy can find others with their exact flavour of crazy online and think that it's cool and everyone is doing it. Then they get deeper and deeper into their crazy, maybe transitioning into other flavours of crazy.
The app would be banned within a few seconds and 90% of people here would celebrate it.
Majority of people assume the following:
1. Men don't deserve to have private spaces
2. Men can't be victims of abuse (sexual, physical or else)
3. Men don't need to be protected from toxic relationships
4. Women don't need to ask men for consent
Men here refers to all men, including trans men, homosexuals, bisexuals, heterosexuals, etc.
Perhaps, it's time that we have an honest discussion about the realities of living in the world as a man in 2025.
If you're reading this and find my comment in bad taste, or that it frustrates you, I highly encourage that you take sometimes and introspect as to why you feel that way.
Its not perfect of course, neither am I.
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
I mean, you can't pretend the wallet isn't right there, for everyone to see, just begging for someone to take it? This is why beatdowns are so wrong? The person who takes the wallet is as much a victim as anyone? Blame society?
In this case, a clone of the wallet has been preserved for all and sundry to peruse. Is it really wrong as a genuinely curious person not to pretend it isn’t there?
There’s a lot to be said about privacy on the Internet. I don’t think there’s much to be gained by attacking those who, out of genuine curiosity, don’t abide by the same polite fictions as the rest of us. I dont like browsing random strangers’ PII. I tend to hope those who do show due respect. And don’t see any sign of malice in GP.
in the traditional db world, at least your db creds live on the server-side app.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
Also GCP, storing secrets properly in AppEngine is notoriously difficult and prone to accidental git-commit: https://stackoverflow.com/questions/58371905/how-to-handle-s...
True story.
/s btw
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
There are probably countless new projects today that are storing plaintext passwords, or not adding scoping, and so on.
Putting in scopes and ensuring data security for both users and system wide is on the developer.
But sure blame firebase lol
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
Just to register for one-more-app / one-more-webboard? Nope.
Some private app for rating other human beings? Nope.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
Citation, anyone?
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
1. Wrt/ dating, the obvious downside is that your potential partner is dissuaded from dating you because of what is said on the platform.
2. I can also see vigilante justice; an extremist reaction to what is said on the platform. Actual violence, or just harassment, online or real life.
3. Or, I can see corporations using these databases on the down low to filter potential employees, similar to how they screen online presence as well.
Of course, all of these are just potential risks, not things that actually happen(ed yet).
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
This is why Google has a large number of scam dating apps on its app store. The apps I refer to are near/complete scams with 99% fake profiles and 1% lured, like the phishers of Myanmar, only these are Western. They bring big money in.
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be