Smashing Security podcast #428: Red flags, leaked chats, and a final farewell

They say the problem is that a legacy data storage system was compromised.

So we had this car in the car park and all the files were in the trunk. I know, I know. And it's like some guy got in there and stole all of them.

Smashing Security, episode 428. Red flags, leaked chats, and the final farewell, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 428. My name's Graham Cluley. And I'm Carole Theriault. Now, Carole, I believe you've got some pretty big news for our listeners that you're going to be sharing later on in the show.

Yes, well, you're going to have to listen the whole way through, dudes. Oh, you're keeping me in suspense here. But listen, before we kick off, why don't we thank this week's wonderful sponsors, Vanta and 1Password. It's their support that help us give you this show for free. Coming up on today's show, Graham, what do you got? I'm going to be spilling the tea. And I'm hitting the Wayback Machine, Smashing Security style. All this and much more coming up on this episode of Smashing Security.

Carole, have you ever heard of this phrase, spilling the tea? Yes. It's something young people are talking about a lot these days, the tea and sharing gossip or something. What is it?

I don't know. I think we do have a teacup on our actual logo.

We do. I think it's like dishing the gossip or something, isn't it?

Oh, it's like, oh, let's get our tea and get the popcorn. Like, sit down, snuggle up, because this is going to be delicious. Okay. I think so. And it's also this tea thing, as well as being a drink involving boiled leaves in water. A very delicious one, you know? Well, I haven't been dating since I'm married.

Fair enough. No, there's a lot of people talking about this. He wrote this app because he said his mum kept on getting catfished online. I guess she was doing some online dating. And so he created this app, which allows women to review guys who they've been on dates with. Okay. And so you can look someone up maybe before you go on a date with them, or if you're a little bit suspicious, maybe you've been chatting to someone on a dating app and you're not quite sure about them, you can look them up to see what other women have to say about them. So according to the website for this Tea app, you can find verified green flag men, which means I guess this one's a good one. How do they know they're good? Oh, because other women have said, oh, yes, this is a good guy. You know, this isn't a bad one.

Not a lady bot, but a lady lady.

Yes, yes. And you can also run background checks. For instance, you can look for any convictions that people might have or criminal history a man might have or what's their marital status. You know, are they actually married? They haven't been telling you that they're married or in some kind of relationship.

Okay. Yeah, yeah, yeah. Yeah, so this kind of way of finding, like, what's that expression, the chaff for the wheat, the wheat for the chaff?

Wheat from the chaff is probably the way around to do it, yes.

You're getting more wheat here is the idea.

You can identify possible catfish, so you can do a reverse image search in this app, so it can say, oh, interesting. Cool. Because this guy's photograph looks awfully like, I don't know, Brad Pitt or whoever it might be, or Ryan Reynolds.

Yeah, see, maybe someone in the octogenarian age group might not know who Brad Pitt is. That's right. Okay, well, Who's an equivalent? Somebody like... Johnny Carson? I'm not sure he's dating anymore. Dick Van Dyke? Is Dick Van Dyke still alive? So people are flocking to this app where they can actually verify because they're sick of being catfished and bullied and whatever. It's a big hit.

Yeah. Okay. Yeah. People, specifically women, are fed up of how dating works online. They're fed up of the low quality of men or they're fed up of catfishers or they're fed up of them being sex offenders or having some ghastly background. And so this app has become a viral sensation. About one million women have started using this app in the past week or so. It claims to have over four million users in total. So it's really exploded.

Okay. Okay. So I'm just going to tell you with my suspicious hat on, Ashley Madison claimed they had a lot of women on the site. This is different. This is really, really live women flocking to the site.

Well, I haven't verified that myself.

Okay, okay, of course. But

It certainly claims that. When you open the app, you will see local men in your area whose pictures have been uploaded. You can get this app. In fact, it's only US-based at the moment, so I guess you couldn't get it. But if you're in America, you can get this app, you can boot it up, and you can see men who are around. You'll be able to see if a man is being labeled as a red flag or a green flag and any comments left by the women. Now, obviously, those comments which are left are anonymous. So, the women have pseudonyms. You don't use your real name on the app. Which makes sense, you know, because obviously, there could be recriminations if a man's not very happy of what you've said. Although the man might suspect, you know, if he had a relationship which ended rather badly. It's like, okay, yeah, I can guess which one that was. You can also look up specific names in the search bar and create alerts. It's not just about looking at comments for men's red flags. You can also use T's catfish finder AI to run background checks or look for criminal histories, public records, et cetera, et cetera. Jeez, it's—

So scary. This is what has to happen. Do you think it's scary? You have to date someone. You want to go for coffee and see if you guys get on, and you've got to do background checks.

Well, I guess lots of women have had bad experiences and that's why they're turning to an app like this. And according to the website, 10% of its profits go to support the National Domestic Violence Hotline. That sounds very good. Sounds like a good thing, right? And now, of course, they want to keep bad guys out of the app. The app is supposed to be for women only. So when you make an account, you tell it your location, you tell it your date of birth, you take a selfie to verify that you're a woman, and you wait to be approved. Some people have complained. They say it takes a few days to get approved, I guess because a million people have signed up in a week. But even if they have an automated system, it must take some time to determine if a picture is going to be of a woman or not.

May I ask, do you know if this spread via word of mouth or what made its tipping point? You don't know? Well, it's been going for a few years. I don't know, but it appears to have just ignited. It's caught fire just in the last couple of weeks. Right, so is this a bit name and shame? Yeah, well, exactly, because there you are. There's your photo and people are saying you're a terrible human being. Or there'll be some people whose identity have been stolen and it's not even the picture of the— Right? There's some guy, innocent person, whose pictures and, you know, job profile has been taken.

Right. So if someone used a photo of somebody else and they acted badly online, maybe the person never even met them. And they just say, he's a bad guy. It's like, well, that wasn't even me. And of course, men aren't allowed on the app, which means they don't have an opportunity to post.

I'm not sure how they tell. Do you send a picture of your genitals? How does that work?

It's interesting. So, the app takes a selfie of you. A few years ago, it used to take a photograph of your identity documents and upload them. It doesn't do that anymore. Now it does a selfie and it does some kind of check which determines if you're a woman or not. I'm sure sometimes it could make a mistake in either direction. But you can easily imagine that misinformation could run wild up there and personal information could be shared that could be inappropriate. Yeah. If you've been, say something bad's happened to you and you went on there to kind of say, hey, I'm sharing all my stuff so it doesn't happen to you. That information is involving someone else who, yeah, I totally get it. I think that's a very, very complicated question. I'm not going to touch with the 10-foot pole. Well, let me try and make it a little bit easier for you to decide, because there is a cybersecurity angle. No. I'm afraid so. You're Smashing Security, touching on the topic of cybersecurity. Who would have thunk it? Last week, an itsy-bitsy little problem was revealed with the T-Dating app, because it turns out it suffered something of a security breach. And this problem first emerged in that nightmarish Petri dish that is the internet message board 4chan because some people on 4chan, which is a repellent corner of the internet, quite frankly, began posting data that appeared to have originated from inside the T dating app. 72,000 images, including approximately 13,000 selfies and photographs of ID documents submitted by users during their account verification process, and approximately 59,000 images publicly viewable in the app from posts and comments and direct messages, they were compromised. They fell into the hands of the 4chan community. And we don't know how. Well, according to T, they say the problem is that a legacy data storage system was compromised.

So we had this car in the car park and all the files were in the trunk. And it's like some guy got in there and stole all of them.

You might be honest with you, maybe if they'd actually left it in the trunk of a car, that would have been more secure than what they had. Because I've read reports which said there were no passwords involved. Anyone could just go to this place on the web and download all this stuff.

Do you think this was a honey trap for women?

No, I don't think that. I don't think so. I think it was created with good intentions, but maybe not the greatest quality control. So the data affected, according to T, was related to users who signed up before February 2024. So a few years ago, before the current sort of big hype about this T thing. So it's like an old backup almost. And some people are a bit annoyed about it. When you meant to delete those photographs I uploaded as soon as you verified I was a woman? And according to T, they said, well, that data was stored in accordance with law enforcement requirements on this legacy backup system. At this time, they said, we have no evidence to suggest that the photos can be linked to specific users within the app.

I thought, hmm. Have they heard of this thing called the internet? Oh, and do a reverse image search, just like the T app does. And furthermore, some of these images are of ID documents, which presumably have your name on them, maybe. Imagine people using passports.

Sure. And really sorry, those guys that believed in us before we were anything. Yep. Oopsie.

Big relief. Hang on. Because there's an update. You see, as 404 Media reports, there's just been another major security issue discovered with T. And it doesn't just relate to users who registered before February 2024. In fact, it relates to data as recently as last week.

No, I'm not laughing. I'm just saying, if anyone's listening and this is you, I am not laughing at... It's too horrible even to imagine. It is horrendous, isn't it? It's awful.

Seattle-based researcher Kazra Rajirdi was able to access a database of 1.1 million messages, stretching from early 2023, which is when the app was effectively created, to last week. Includes messages from women claiming particular men were their husbands or they were engaged to them, or messages from women who were discussing their abortions and other private information like that, chat logs between women who discovered they were dating the same guy. In fact, this vulnerability meant that any T user at all could use their own API key to access a recent database of everybody's communications, including a mass of private messages, some of them containing highly personal, identifiable information, such as phone numbers. And do you remember those scumbags on 4chan? What they've been doing is they have created a website now where it's basically hot or not. It lets you compare the selfie images.

Don't, don't, don't. Oh my God.

And you are invited to choose who is hotter than the other. So there's a lot of misogynist stuff going on here. I think the idea of wouldn't it be great if women could check if someone was a bad guy or not is a great one. But it's so problematical the way in which this has been set up. Now, in some countries, like for instance in the UK, there's a thing called Claire's Law where you can actually go to the police and you can request. I think you can say, I'm dating this guy or I used to date this guy and I'm a bit worried about them. Can you tell me if they've got a bit of a history?

I've covered this on the show before, I think.

Excellent. So it's good that some countries have that as an alternative, but of course it's not there available to you at your fingertips inside an app. And the police may decide, well, it's not in the public interest or, you know, they will review any requests like that to see if it's actually appropriate to share that information. Today, just before we started recording, I went to have a look. It is currently the second most popular app in the US Apple iPhone store. It beats Threads, Google, WhatsApp, Google Maps. It's only being beaten by ChatGPT. You will find no mention whatsoever on the dating apps main web page that refers to any kind of security incident at all. There is, if you manage to find it, I have the URL which I'll put in the show notes. You can read about the cybersecurity incident. They have put out a statement about it. But if you're installing this app, you won't know it's happened unless you've seen the media reports or heard podcasts like this one.

It opens a little interesting can of worms. Don't you think these stores where you get apps that verify apps, don't you think if they are aware of this, they would suspend the app until the problem is sorted?

I mean, that would be nice, wouldn't it?

If they just said, sorry, not available right now, we'll get back to you when it's confirmed to us, problem's gone.

I would think that Apple may not want to get into that legally in case they reduced access to an app and then denied income to the app makers, even though this is actually a free app. They, you know, they may be worried that there's legal action then taken against them.

Well, they might have legal action face them the other way saying, look, you know, I thought the app was safe. It was number two in your app store.

I think right now, if anyone deserves some legal action, it's software engineer Sean Cook who created the T dating app and the rest of his company. You know, they're probably the ones who should be most concerned rather than them firing off legal action themselves. Your advice. As a woman, as a woman, Graham, tell us.

No, I'm not going to give you advice about dating. All I'm going to say is, if you're using this app, or if you maybe have a friend who's using this app, even if you're not doing online dating, this app is... Yeah, stop. Uninstall. Stop using this app. Carole, what's your story for us this week?

Well, I'm going to take us back to the year 2016.

Ah, the good old days.

This is almost August, right? This is the end of July. And this is the time that typically you and I, Graham, have taken, you know, a few weeks off to recoup in the show. But there's been a little shakeup around here. And so get your cup of tea, listeners. Indulge me with a little light jog down the Smashing Security memory boulevard because 2016 was a big year. I don't know if you don't remember, but it was a big year. That was Brexit year for us. David Bowie died. Everything went wrong after that, really.

Donald Trump, just saying that was the first time he was elected. I think people hardly noticed. Didn't make much impact on the world, did he? And this is when Smashing Security slid into the world like a screaming baby. That was in December 2016. A long time ago. Yeah. The brainchild of, you know, Graham, me, but also Vanja. Vanja Svajcer. Do you remember doing it? I do. The first episode we actually did as a, a Zoom call. It was a video thing, wasn't it?

Oh, I to this day cannot believe you talked Vanja and I into that because both of us are pretty camera shy and you aren't, right? You're a little bit camera happy.

Some of us are more photogenic than others. That's the thing. The camera loves me. Right. The camera loves me.

How did you convince us to do that? Because what I was petrified. I was petrified. I think I spent 10 hours writing my story.

I thought you were going to say you spent 10 hours doing your hair.

You would think that. He's over 50 people. And we talked about that. The pains of providing tech support to family and friends.

Oh, yes. Yes, that's right.

But the real, yeah, the video thing was really hard for me. But soon you acquiesced on the YouTube thing, right? You gave up on the YouTube thing, which was a great decision, I think.

It was interesting because I think the initial idea was if we do it as video, we don't have to edit it. So it won't take that long. And then we made the quite sensible step of going to audio. But we then thought maybe editing is quite important, actually, so we don't sound like complete plonkers.

Well, yeah, for the listening experience, it's also better.

Yes, it is. I think so. This podcast is actually edited.

And that was hard in itself, wasn't it? Learning how to do all that. Learning how to edit. I started in GarageBand.

Yeah, we've used lots of tools.

Which was really complicated because it's a pretty powerful music inclined system. After a while, we moved to Logic Pro.

Yeah. I like Logic.

I got really into it. But then. Right. Yeah. We now use Hindenburg and it's excellent. We've used that for years, haven't we?

Yeah. I love Hindenburg.

Me too. Me too. It is great. But we did 10 episodes before Vanja had to excuse himself from being a regular host on the show.

Yeah. Like a rat from a sinking ship.

Well, no, he had to. And it was a baptism of fire for both of us because we had to learn everything, but also we had to figure out how we were going to deal with that. And this is when we got guests, right? This is when we started getting guests, weekly guests on the show.

Paul Ducklin. He was an early one. The wonderful Maria Varmazis.

Well, she's my queen to be. These are my tops. This is what I think have done the most shows.

Don't upset people by leaving out names of anyone significant. Well, that's your job.

So I've made a list already. So the glorious Anna Braiding, right? She's always been fantastic on the show. Dave Bittner has come on many, many times from the Cyber Wire.

Bittner's a star. He's a star. Geoff White has done loads of shows with us.

Yes. But Maria has won. She's our top guest, I think. She's done 43 shows with us.

43? Wow.

43. It's mind-blowing. And a lot has happened in the tech space too, right? We had GDPR. That's the most important. That happened during our reign.

You actually read the GDPR regulations? From cover to cover. Wow.

Cambridge Analytica scandal happened then. Right. I don't know if you remember, but we had this little mini pandemic. And we actually podcasted through the entire pandemic.

Yeah, but I know that sounds like it was a big deal. But frankly, there wasn't that much else to do, was there?

Well, we both got COVID during that time.

I never got COVID. No? I didn't. No, no, no. You've never had it? I've never had COVID.

Oh, yeah.

I did lose my voice one episode. And the show kind of grew, right? Because we added things like Pick of the Week. We added... We got sponsors. Yes. We got stickers. T-shirts. A Patreon community. We did go on tour. We went to Duxford near Cambridge. We went up to Edinburgh.

We did. Did we go to Northern Ireland? Manchester. Manchester. Okay. Yeah. We interviewed CEOs, founders of all kinds of companies. Can you think of things that we covered through all that time?

We mostly tell people not to use the same password on different websites. We've talked about Roombas. Yes. NFTs.

Oh, yeah. Wireless headphones. I had a lot of stink about wireless headphones. We both did. We hated the idea of AirPods or wireless head listening devices.

Yeah, I still don't like the idea of wireless earphones. That's a terrible idea.

Oh, you don't have any?

No, I don't. I refuse to.

Oh.

Do you have them?

Yes. I'm totally a convert.

Don't you have sweaty ears? Don't they fall out of your ears?

No. Wait for my pick of the week. We talked about drones. Smart sex toys. IoT.

Oh, I like the way you quickly went past smart sex toys.

RoboDogs. And behind the scenes, things were, you know, a little bit interesting, recording. Sometimes you were, I think you were in Australia under a table, sweating to death as you tried to record.

I did that once from Morocco, I remember.

Oh, was it from Morocco?

Yeah. I may have recorded in Australia as well. That is possible.

I remember writing a story and doing everything, researching, choosing it, writing up, recording it. And I don't remember who noticed it, but we suddenly realized it was three years old and no good. And then we had to somehow re-research, re-choose a story, re-write, re-record and do that all. And I think we did it without disruption to the schedule.

Yes, we've pretty much kept the schedule for years and years and years, you know? And we've done really well. I just wanted to give us a clap on the back, not a clap, a pat on the back, and say that we've stuck through thick and thin, right, for what, 420-something episodes every single week. And, you know, we've been salty with each other occasionally, right? But we still get a funny show out of it. And I'm no longer going to be a regular feature on the show.

Yes, it's out there. So I'm hanging up my co-host hat after almost nine years. And it's huge. It's a really big decision. It's big, it's big, it's big. And it's big for our listeners. Well, it might be, I don't know. But I'll tell you why I'm doing it. I just want to watch more Netflix. Well, what a fabulous co-host you have been, Carole. I've shown up. You have shown up. 428 bloody episodes. It's very, very impressive. And I know that I won't be the only one who will miss you on the show.

No one's going to miss me. Well, they might miss me if after I say this, can I say my next bit first? Because I do have a huge thank you, right? Especially to listeners. And especially to those listeners who listen week in and week out, because I was thinking about it and it's kind of like being invited into someone's ear holes every single week. And it's a pretty big honor because if you think the average Smashing Security show is 45 minutes. Right. And we do around 50, whatever, 40 shows a year. That's a lot of hours. It's probably going to be more than a work week. And that's more than I talk to 99.8% of the people in real life. Except for you, Graham, right? Because you have to listen to all that. Plus, listen to it again when we edit. And plus, before we publish, we have to listen to it. So we've been listening to each other a lot, a lot, a lot. Maybe more like 150 hours a year, we have to listen to each other. But I think we should be super proud because we did something great. And we did it for a long, long time. So huge shout out to you listeners. Huge shout out to those who support us on Patreon. Huge shout out to the guests who came on the show to give us a different angle. And to the sponsors who helped pay our bills and allowed us to do this show. So from the bottom of my heart, wherever you are on the planet, I appreciate you. I thank you. And don't panic because the show will go on in a new form. The show will carry on. We will not be the same without you, Carole, but the show will carry on. This is your chance. You can write to Graham and say, finally, finally, you're free.

Email us at studio at smashingsecurity.com.

But if you want to share any thoughts with me directly, I would love to read them. So you can email me directly at carole, C-A-R-O-L-E, at carole.wtf. Yes, W-T-F. I don't plan to disappear from the planet entirely. Sticky Pickles will be resurrected soon. And there's a few other projects in the making. So keep them peeled. And thank you.

I'm sure it won't be the last time our listeners hear your voice, Carole.

Well, I hope not for them. My God, how will they live?

All right. Should we go and check out some of those sponsor messages?

Yes! Now, Carole, according to Vanta's latest state of trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to five times faster and proactively manage vendor risk to help your team not only get compliant, but stay compliant. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Over half of IT pros say securing SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why.

Trellica by 1Password inventories every app in use at your company. Then, pre-populated app profiles assess SaaS risks, letting you manage access, optimize spend, and enforce security best practice across every app in your employee's use.

So, take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com slash smashing. That's 1password.com slash smashing. And welcome back. Can you join us at our favourite part of the show, the part of the show that we to call for the very last time for Carole Theriault, Pick of the Week.

I might be on the show again. I might say it again. Pick of the week. Pick of the week. Pick of the week is the part of the show where everyone chooses to sound the like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. I hope it's not. Mine is not security-related. Yay! This past weekend, the incredible Thom Lehrer died aged 97. Carole, are you familiar with Thom Lehrer? More information before I say yes or no.

He was an extraordinary writer and singer of satirical songs.

Oh, I did read about him in the New York Times this weekend. Yes. But I was going to go check him out. I haven't listened.

Oh. Yeah. He is wonderful, or was wonderful. He was not only a singer-songwriter of these funny songs, but he's also a mathematician. He was a child prodigy, entered Harvard at the age of 15, had his master's in mathematics at 19, later taught at MIT and Harvard and University of California. He was also the inventor of the vodka jello shot. Can you believe? I love that. So he's a clever guy. And famously, in the 1950s and 60s, he wrote and performed witty songs at his piano. But then he left that world behind to teach. Instead, he was one of a kind. So there are certainly songs which probably people will have heard of. For instance he did the element song where he recited in about one minute 30 seconds the chemical elements.

I do know that song. Aha, there's antony arsenic.

Aluminium selenium and hydrogen and oxygen and nitrogen and rhenium and nickel lithium. I can't do it anyway you get the idea he was incredible. And put some links in the show notes as well to some of his other songs because he really really was incredibly entertaining and clever. And what I particularly love about him is that in 2020 he decided to move his entire catalog into the public domain because he felt he'd made more than enough money off it so he's given it to the world all of his recordings all of his music and the videos and so forth. You can go to thom lehrer songs.com. Check them out very entertaining and there's not enough people like Thom Lehrer in the world so very sad to see that he had died at the ripe old age of 97. And so this is my little thank you to him for all the entertainment he's given me over the years by making him my pick of.

The week. There you go good one.

Carole what's your pick of the.

Week well I mean what do you do for your final pick of the week?

I don't know. I don't know. Sticky pickles? I thought about it. No. Yeah, I could do that. I could do that. Oh, yes. Very good. Very good.

Love it. Okay? It supports your local library. You don't have ads when you read a book. It's the best thing since the sourdough revolution.

Because it's a way basically of borrowing an e-book, isn't it, Libby?

Yes. It's wonderful. It's great. Shox Bone Conduction Headphones.

Oh, you still use those, do you?

I use. And they are wireless, Graham.

Yes, I'm familiar with them.

And I love them. I wear them every single day. They're comfortable. I adore them.

They pick up the vibrations on your jawbone, don't they? So you don't put something in your ear, I believe.

No. So your ear, you can basically protect your hearing. If you have hearing loss, which I would like to prevent having. So look into bone conduction headphones. Fantastic. For example, in Canada, they're legal to wear if you're cycling. But if you wear ear in headphones, it's illegal.

Oh, OK. So there you go. Number three, yoga. Yes. Graham can attest to it. I've had serious operations. Oh, I remember this one. Because if you don't want to give people food poisoning, perhaps if you're not a great cook, this is how you do it. And if you want your food not to be overcooked, this is how you do it. Wow. Well, great picks of the week.

I'm going to cry. Weekly.

Well, that just about wraps up the show for this week. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that? I've created a sub stack. So, Carole Theriault, my full name, at Carole Theriault, that's where you can find me. And you can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify and Pocket Cast. And thank you to our episode sponsors, Vanta and 1Password. And of course, to our wonderful Patreon community. Well, you're going to want to know what's going to happen next. So, I guess the message I have for all the listeners is, until next time, cheerio.

Bye. Thank you.