Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
Right, "a pox on both their houses". The leakers, the people using the app, the men, the women, all seem gross. There are innocent men and women swept up in this, but it just seems like an unsavory neighborhood of the internet that people should avoid.
I don't look down on the leakers any more than I would with any other security breach being released (I certainly didn't hear people using this same language of disgust over say 4chan being hacked or back in the day when Ashley Madison was hacked).
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
To add something useful, I have been in mental asylums. There are physically dangerous people who aren't full of negative emotions. Most psychiatric patients don't have ill feelings towards others in general, only toward themselves.
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
Believe it or not, the Internet has not helped people be better in many cases. Sometimes it enables the worst of our personalities to really shine through.
It used to be so that the Village Crazy got called crazy and either they figured out "shit, I'm crazy" and toned it down or they just lived alone being crazy.
Now the Village Crazy can find others with their exact flavour of crazy online and think that it's cool and everyone is doing it. Then they get deeper and deeper into their crazy, maybe transitioning into other flavours of crazy.
The worst part is that God forbid the genders were reversed and you had a male only app to discuss their relationships.
The app would be banned within a few seconds and 90% of people here would celebrate it.
Majority of people assume the following:
1. Men don't deserve to have private spaces
2. Men can't be victims of abuse (sexual, physical or else)
3. Men don't need to be protected from toxic relationships
4. Women don't need to ask men for consent
Men here refers to all men, including trans men, homosexuals, bisexuals, heterosexuals, etc.
Perhaps, it's time that we have an honest discussion about the realities of living in the world as a man in 2025.
If you're reading this and find my comment in bad taste, or that it frustrates you, I highly encourage that you take sometimes and introspect as to why you feel that way.
I'm glad, I'm not the only one feeling this way. My experience lately has been that if you are a man, you are just bad, regardless of if your behavior is actually condemnable or not.
Worse than that, if you speak against any of the nonsense coming to you, you are extra bad.
And they are surprised that fertility has fallen all over the place, seems like intended objective to me.
There are a lot of things I disagree with the majority on here. But it's more like in a real life convo, most disagreements don't need to turn into huge debates in the first place, let alone result in name-calling and group-shaming.
I don't like any tech gadgets, don't care a lot about digital privacy, prefer imperial measurements, think dynamic types are the best for high-level code, am opposed to ipv6, think Golang is pointless, want an official Linux desktop OS (not just kernel) to exist, think adults shouldn't be playing video games. And have said all those things repeatedly here.
If that all sounds too non-spicy, well, even mentioning the smaller things like JS vs TS on a mainstream Reddit page got people calling me a moron and my comment hidden because the score got too low. If I said it on a different page, maybe it would've been +100 score and everyone disagreeing with me booted instead, but that's not any better. Learned quickly not to bother with there.
HN isn't really a place for plain political discussions, so I don't participate in those. They do exist though, and end up getting locked. I'd probably be more right-wing than most.
I've read through them here, they're not bad at all. There's a majority opinion, and people are disagreeing, but there's real content there instead of campaign slogans and insults. But HN rules say it's not for politics, so I avoid participating.
So what is your non-cesspool forum example that isn't Reddit? Twitter seemingly got taken over by bots early on, Facebook pages were a disaster at least when I was in college, and those are the big ones.
I think its worth saying that its a gradation, some places are better than others with HN tending to the better. But fundamentally, I don't think large non-toxic forums exist.
X optimizes for engagement and as studies have shown, that means optimizing for rage bait.
Reddit optimizes for rage bait too but includes a voting system that hides unpopular opinions, so any person that conflicts with the majority is marginalized. So on top of being full of rage bait, its an echo-chamber and that is before even talking about the powermod problem.
HN is much like reddit in style, so fundamentally HN also tends towards an echo chamber.
And by echo chamber, I mean a cringe circle jerk: a New Yorker article called it "performative erudition".
HN doesn't feel like Reddit, yes there are votes but it's one page and a totally different algo, and different user base. Guess we have different levels of satisfaction with that.
Gotta say though, it's rich hearing this from New Yorker.
There is the AWDTSG social media groups that this app shamelessly took the idea from in an attempt to monetize it, and the thing is that these groups probably serve the exact same function just fine without egregious mistakes in the name of move fast and break things techbro profit like 'exposed s3 buckets a literal child could have found' regardless of anyone's opinion on whether they should exist or not
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
Can you share (or describe where to find) a download link pls? I’m mildly curious to see just how gnarly things get in those kind of “restricted” territories
Nah, as a middle aged person at the bottom of the dating pool, there’s a lot of delusional thinking. A lot. A lot a lot. For example, me: 42, divorced, not rich but not poor - six figure income, her: 36, was “career oriented” but now feels like she missed the boat on kids; her: “If you don’t propose within the first 3 months, you’re not interested in marriage, just wasting time.” Also her: “A man is supposed to take care of me.” Again her: “what’s his is mine and what’s mine is mine”. This is the delusional thinking that exists in the dating world. That some rich Prince Charming is going to come save the hard working but hard partying girl who just realized she’s a woman.
I deleted my apps and will just eventually die alone.
It's not right, but the real average is a kinda tough situation too, not anyone's fault really. Most family-oriented women aren't waiting til 36, most younger women aren't dating with 10+ year age gap, being divorced makes it harder no matter what the reason is. I have some relatives dealing with this.
I’m waiting for my own EU savior to give me safe passage :D we all have our delusions. Come here on vacation… partially fluent in Spanish, English, and can get by with French, German, Italian, Portuguese.
If someone gets beaten up and left in the street, and, consequently, their wallet is laying right there beside their unconscious body, is it OK for you to take their wallet?
I mean, you can't pretend the wallet isn't right there, for everyone to see, just begging for someone to take it? This is why beatdowns are so wrong? The person who takes the wallet is as much a victim as anyone? Blame society?
This feels like a very dated metaphor. When my older brother introduced me Napster, was I actually rifling through Lars Ulrich’s wallet and shaking out mp3s?
In this case, a clone of the wallet has been preserved for all and sundry to peruse. Is it really wrong as a genuinely curious person not to pretend it isn’t there?
There’s a lot to be said about privacy on the Internet. I don’t think there’s much to be gained by attacking those who, out of genuine curiosity, don’t abide by the same polite fictions as the rest of us. I dont like browsing random strangers’ PII. I tend to hope those who do show due respect. And don’t see any sign of malice in GP.
Not the same ethically. I’m not arguing that. But it’s the same mechanics. Browsing a dump floating around on the Internet isn’t the same as stealing someone’s personal info.
The data is already there. You’re not depriving anyone else of it, and as long as you’re not hosting nor seeding it, you’re not sharing it, either. Most of us pretend not to see it, but it’s there regardless.
Privacy violation can incur costs to the victim each time. Not only upon whatever you decide to declare was an event that made subsequent violation easier, but also upon those subsequent events.
The information is spread all across the internet. By reading this thread you can see people's "private" conversations. There is no point in judging the people who see the information once its public. Its like walking down the street with no clothes and then getting mad at people who looked.
The information might be viewable from the public, but there was still an expectation of privacy at the start of this. It isn't a naked person walking down the street, it is someone getting naked in their own home and you're peering through their window. Neither the legal status of that action nor other people also being able to see in the window makes it morally justifiable to violate the original expectation of privacy.
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.
in the traditional db world, at least your db creds live on the server-side app.
Firebase's DB (Firestore) being almost default-allow is even funnier, and that was the core functionality from the start, leading to tons of huge breaches over the years. At least a public file bucket is a more valid use case, except I'm guessing they left the "list files" permission open. Edit: Oh, chat DB is probably Firestore, so they left that open too, nice.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
It's hard to screw up Postgres to the extent that your entire DB is made fully accessible by all users. This has happened many times with Firebase apps, for over a decade.
You could have a SQL injection vuln, but any SQL lib will very clearly steer you to parameterized queries, and even then such a vuln takes some expertise to find and exploit.
That’s simply not true. I remember working with a startup founder who had Jerry rigged some crap shit together with gpt a year ago.
I was able to access his data by simply accessing it figuring out his URL and other stuff. I told him to use supabase or DO deployment and set up proper roles and stuff…
I think you’re being way too charitable honestly and it’s dangerous. I won’t join you on that path of absolving the developer of any blame.
They don’t read the docs and they didn’t care simply put. Any production system needs to be tested especially if it will have PII data.
Don't get me wrong, there is still such a thing as a bad dev. If this startup founder actually wrote an entire app using GPT and it had such vulns, I'm pretty sure he'd mess up the Firebase ACLs too.
You are absolutely correct. The founder of Tea app has only 6mo of coding bootcamp under his belt. That should explain pretty much everything that happened.
The variable here is Firebase, the same devs don't have these issues on other platforms. If users are reading and fully understanding the manual before setting things up, that's great, it can be default-deny and tell them how to selectively open things.
One day, if you're lucky enough to engineer a quality product with scale, you'll realize why "they're holding it wrong" is generally a poorly received explanation, even if you're Steve Jobs.
I mean I already have a cushy IPO exit under my belt as a lead platform engineer.
So yeah already did it, global b2b product used by millions daily. I have nothing to prove anymore besides my current company that I’m doing on my own.
Everyone else can do whatever insignificant and make mistakes that’s on them.
Then how do you live in this world? You cannot avoid providing a copy of your photo ID to someone at some point in your life.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
You can't avoid it, but you can choose to refuse unless there is a legitimate need for it. Very few brick and mortar interactions require it, and at least historically a copy wasn't retained but rather verified on the spot by the business agent.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
If you need to buy Sudafed in a pharmacy you need a drivers license, and I believe they record the information somehow. Presumably online alcohol or marijuana sales would also require some retained evidence that a dl was presented. Maybe car insurance too.
Sudafed in the US is an odd exception in that it's regulated but doesn't require a prescription. In comparison you can pick up an opiate prescription without ID (or at least I was able to several years ago).
> Presumably online alcohol or marijuana sales would also require some retained evidence that a dl was presented.
Why? Is that required for in person purchases where you are? I thought violations were typically caught with sting operations. I don't see why online should be any different.
> Maybe car insurance too.
Why? I guess the provider could choose to for due diligence if they felt there might be fraud. But I'm struggling to come up with any realistic scenarios. For what it's worth I've never once been asked for any official documentation in order to purchase car insurance. Simply provided information over the phone and received documents in the mail a few days later.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
Any sort of fintech (including crypto exchanges) is going to require photo ID scans (and possibly even some sort of live selfie stream, to make sure the scan isn't from some leak) for KYC reasons.
Seems like Western governments are pushing for this to be the default to interact with almost any website soon enough. You know, to "protect the children." Soon you will have to nope out of the entire internet.
I mean yeah, I'm extremely uncomfortable with commercial ID solutions when accessing government services. When I can I even avoid government websites that have captchas or other third party resources on them but that's becoming increasingly unworkable. It's absurd that I should be required to leak my personal information to third parties in order to make use of a government service (ie something with no competition that I am legally obligated to use).
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
I don't trust dropping any PII/payment-related forms in the mail either, stemmed from a recent experience in which a NYC's DoF had used my information to pay for services on my behalf without authorization.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
It isn’t that straight forward. If you wrote it and it got published, it still counts as published even if you didn’t publish it yourself. The crux of libel is that you made it permanent somehow by writing it.
Hi all, i'm the security researcher mentioned in the article -- just to be clear:
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
Doesn't that Gemini summary gist tie usernames to pretty specific highly personal non-public stories? That seems like a significant violation of ethical hacking principles.
They're anonymous usernames the app had them make and they were told don't use anything shared elsewhere and I googled and there's not any uniquely identifiable people from any of them.
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
I think including specific stories is already an ethical hacking violation.
Including the pseudonyms associated with those stories creates unnecessary risk of, and arguably incentive for those individuals.
I also just don't get the mindset of dumping something like this into an AI tool for a summary. You say "a 300MB JSON file that (hopefully) only exists on my computer" but then exposed part of that data to generate an AI summary.
Having the file on your computer is questionable enough but not treating it as something private to be professionally protected is IMHO another ethical violation.
I don't see the need for the AI output to begin with. Normally pen-testers just demonstrate breaches, this is more like exposing what users do on the app.
Yes! haha! But hopefully I have a good enough support group and connections that I'll be ok if that happens, I just really wanted to prove that they were not being honest when they said it was data prior to 2024.
This is correct. While I’m not sad about Tea’s most toxic users being exposed, there were likely also many innocent women caught in the crossfire who likely just signed up out curiosity.
If the chats also leaked, then those innocent women's reputations will be intact. Identity theft however, is a different matter. Overall, it shows what a rotten influence that social media has been on interpersonal relationships in the society.
Apps like these show the apathy of authorities towards slander (especially of men) and the presence of predators who want to worsen and take advantage of the gender wars and other forms of bigotry. Ultimately, people must introspect and reassess the influence of these venomous propaganda on their biases and emotions. This sort of radical beliefs is never healthy for anyone.
because news articles and media are putting out this narrative that the site was a "safety tool" that was critical in allowing women to "protect themselves", instead of what it actually was: a gossip and hate-spewing site with zero oversight/recourse for anyone who is being slandered.
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
Say I were single and ended up being slandered on that site, what would happen? Sounds like the users on there are not the kind I'd want near me anyway.
There is no safe amount of attention from people who spend their time sharing 'drama' online. The most extreme example is the kiwifarms lolcow stuff, but even very normal and boring internet 'microcelebs' learn the hard way that some insane person somewhere will decide they don't like you and go out of their way to interfere with your life and relationships.
That's the equiv of saying I don't need privacy because I have nothing to hide.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
Guess this is too theoretical for me to worry. This app was up for years, I was wondering if they ever coordinated an attack on someone other than just avoiding him.
And yeah, I am trusting certain companies like Apple with some of my data to some extent.
> picking sides to induce the least harm to bottom line.
This is why Google has a large number of scam dating apps on its app store. The apps I refer to are near/complete scams with 99% fake profiles and 1% lured, like the phishers of Myanmar, only these are Western. They bring big money in.
Even apps that are not strictly for dating are full of scams, a lot of catfishing is going on with a ton of onlyfans egirl type of profile.
A while ago (about 3 years), I downloaded a ton of apps made (allegedly) to meet new people in cities you don't know (I was going to spend about 3 weeks at a friend and he would be busy with his job); Meet with Locals types of apps.
I shit you not, the vast majority were filled with scam profiles and a lot of what I assume is escort services/soft prostitution and whatnot.
So, I just deleted them all and just met people the old-fashioned way (which was just fine, not sure technology has a real use case for that); but it was an eye-opener.
<tinfoil>Google is invested in ratcheting up the war behind the sexes, because it atomizes people and makes them prime targets for an upcoming companion AI product.</tinfoil>
Except, that's not how most laws mandate it. The verification of personal data, its storage and the subsequent authentications based on it are done by a trusted third party - usually a government agency. Either they (the agency) maintain the mapping between the real life identities and the 3rd party online accounts, or they give the 3rd party an ID code which cannot be used to retrieve the personal info without the consent of both the agency and the individual user. Thus, you don't litter your personal data everywhere on the web and risk leaking it like this.
All that said, I'm still not a fan of such invasive arrangements and laws.
That's a prudent stance. Even in countries where the current government is trustworthy, we have no good way to predict who will attain power in the future. Not to mention the fact that governments themselves are never homogeneous.
reply