I've listened to a few industry podcasts discussing the Tea app breach since recording, and the thing that really struck me was the lack of discussion around the privacy implications of the service before the breach. Here was a tool where people were non-consensually uploading photos of others and leaving fairly intimate commentary about them. That MO seems to be, at least in part, related to the motive to take a service that presented massive privacy implications for the subject matters and, to vet their participants' gender, create an even bigger privacy issue by collecting selfies and IDs, which in turn created yet another privacy issue when they were leaked and misused. There were so many red flags about this service before the breach that it's kinda fascinating the focus is now so heavily on the aftermath. A bit more pre-emptive focus on privacy next time, everyone.
References
- Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSitelegislation
- The Tea app breach is many layers of privacy irresponsibility (with some pretty alarming outcomes for users and victims of the service)
- My favourite creator of network-level nasties blocking was compromised (and it wasn't even the Pi-hole's fault, thanks to a dodgy WordPress plugin with an egregiously dumb flaw)
- I was asked about the UK's Online Safety Act during the live stream (that's a link to a thread which effectively amounts to it being more "thoughts and prayers" of infosec rather than practical legislation)
