24 comments

[ 2.7 ms ] story [ 55.8 ms ] thread
This is why I immediately nope out of anything that requests a copy of a photo ID.
Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
Does the hash end in ...e63f2 perchance, or is it a different dump?
The 200GB one had a folder called .pad that was about 150GB and had nothing but null byte files in it.

Don't try to brag about something that doesn't exist please

Can you share (or describe where to find) a download link pls? I’m mildly curious to see just how gnarly things get in those kind of “restricted” territories
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.

in the traditional db world, at least your db creds live on the server-side app.

"Worsens" is relative.

Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.

So this is an app where people defame others? Would these leaked communications expose their users to libel charges?
> This information was stored in accordance with law enforcement requirements related to cyber-bullying investigations.

Citation, anyone?

I think it's wrong to upload someone's photo without their consent or knowledge, but I don't think this is right either.
Tea app looks like Kiwi farms, but for girls.
At what point do you just pull the plug out of the wall
While I think this app is disgusting, it’s kinda interesting to see the outrage that this app generated.

Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be

Cloudflare blocked Kiwifarms. Now and then I read some group trying to boycott Kiwifarms.
(comment deleted)
Consider advocating for data privacy that makes Tea a nonstarter?
Hi all, i'm the security researcher mentioned in the article -- just to be clear:

1. The leak Friday was from firebase's file storage service

2. This one is about their firebase database service also being open (up until Saturday morning)

The tl;dr is:

1. App signed up using Firebase Auth

2. App traded Firebase Auth token to API for API token

3. API talked to Firebase DB

The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.

I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.

Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...

And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.

If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56

And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...

Now reverse sexes and imagine if such an app would be allowed to exist in the first place
"The platform states that selfies were not deleted as expected to comply with law enforcement requirements related to cyber-bullying prevention."

This is why laws that say "just give websites your photo ID! It's for the safety of the children!" are concerning

Except, that's not how most laws mandate it. The verification of personal data, its storage and the subsequent authentications based on it are done by a trusted third party - usually a government agency. Either they (the agency) maintain the mapping between the real life identities and the 3rd party online accounts, or they give the 3rd party an ID code which cannot be used to retrieve the personal info without the consent of both the agency and the individual user. Thus, you don't litter your personal data everywhere on the web and risk leaking it like this.

All that said, I'm still not a fan of such invasive arrangements and laws.