this post was submitted on 31 Jul 2025
434 points (99.3% liked)

Technology

73534 readers
2429 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
434
Tea App A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating (www.404media.co)
submitted 2 days ago* (last edited 2 days ago) by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
102 comments fedilink hide all child comments
 

https://www.bleepingcomputer.com/news/security/tea-app-leak-worsens-with-second-database-exposing-user-chats/

https://redlib.orangenet.cc/r/AskWomen/comments/1m9ydcn/what_iswas_the_tea_app_actually_like/

you are viewing a single comment's thread
view the rest of the comments
[–] gravitas_deficiency@sh.itjust.works 48 points 2 days ago (9 children)

This is why you don’t vibe code a webservice

[–] FauxLiving@lemmy.world 25 points 2 days ago (7 children)

This wasn't vibe coding, it's incompetant devops.

You have to go out of your way to make these buckets public like this. Several giant "Everyone will have access to this" warnings, re-authentication, a permanent warning symbol on the dashboard AND regular e-mails reminding you that you have a public bucket. I don't even think you can do this via the API, it requires a human to manually make this setting.

I'm guessing that they couldn't figure out how to configure the Access Control Lists and just made it public so that it would work. That's fine in a test environment, without any user data but it's pure incompetence to have a production system setup this way.

[–] gravitas_deficiency@sh.itjust.works 9 points 2 days ago (5 children)

I’d say it’s not fine in a test environment, because then your test env S3 bucket is publicly available.

[–] FauxLiving@lemmy.world -1 points 2 days ago (2 children)

It's not great, but it's an acceptable kludge if you're the one holding everyone back and you can't figure out the problem immediately. Set it to public, let the devs get to work and research the problem until you find a real solution.

The test environment data should be generic so if someone were to discover the bucket they'll get some pictures of cats and a bunch of people who live at 12345 anywhere street.

[–] gravitas_deficiency@sh.itjust.works 10 points 2 days ago

It’s a bad idea to leave your S3 perms wide open, because then anyone can use your S3 bucket for whatever reason they want, and it’ll hit your wallet. And if they can’t figure out basic IAM and ACLs, I’m also betting they can’t figure out “requester pays”

[–] blargh513@sh.itjust.works 8 points 2 days ago

What? No, this is a horrible practice.

If you can't figure out how to set identity-based ACLs you shouldn't be working in technology! Oh I'll just set this shit to any/any and figure out later. FUCK ANYONE WHO DOES THIS IN THEIR LEFT EAR.

load more comments (2 replies)
load more comments (3 replies)
load more comments (4 replies)