Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
One of the definitions of hacking is illegally gaining access to a computer system. It doesn’t need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn’t meant to be publicly accessible is still hacking.
Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is “hey you literally didn’t secure this at all.”
This is also The legal Definition applied in Germany (with the only difference being, that in Germany it is "gaining access to a system not meant to be accessed). The problem with this is, that everyone who finds security breaches is at threat to be punished for it, even if they ethically disclose it. There have been various cases of ethical hackers receiving fines for disclosing security vulnerabilities.
Same in America. Someone who found a government website had SSNs just sitting in the HTML was almost prosecuted for viewing the raw HTML after ethically disclosing it.
This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let’s say the subnet was 192.168.2.0/24.
Weird things were happening, I was being lazy and wasn’t directly connected to the network, may have setup a VPN between devices somewhere; can’t really remember. But pings would sometimes drop or blow out to 100’s ms.
I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn’t have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.
Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I’m from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.
It was an interesting day.
I worked for a ISP. A cable company. We were getting our local offair channels from a site that was in easy reception of them. They had a large amount of bandwidth and did the same thing for dish and direct tv. The man who ran network side had a stroke and died. The hack that ran the broadcast side of their main business took over. Next thing I know I’m having all kinds of problems with our multicast tunnel. I port scanned the IP range and discover they have opened the whole thing up. We had a conference call where I detailed my concerns. Later that day the hack called my boss with his boss on the line and we had another meeting where I told them that they were exposed with default passwords and it could be a real problem.
After I was given verbal permission to demonstrate my concerns with some limitations I took over all default password equipment and sent a large amount short stories to their printers. I ended it with the story superiority by Author C. Clark. Some back and forth a day later and they needed a new sysadmin.
Uh… you can’t just “expose a LAN network to the Internet” in this manner. Local subnets aren’t routable over the Internet, so you can’t just enter 192.168.2.3 and end up on somebody else’s private LAN.
https://www.geeksforgeeks.org/computer-networks/non-routable-address-space/
They would have needed to either have all their internal devices being assigned public IP’s or had NAT+firewall rules explicitly routing ports from their outside address(es) to the inside ones. The former is unlikely as normally ISPs don’t allocate that many to a given client, or at least not by DHCP. the latter would require a specific configuration mapping the outside addresses/ports to inside devices, likely on a per device+port basis.
Either your story is missing key details or you’ve misunderstood/made-up something.
They did indicate that the subnet they provided in the example was not the actual one they used.