For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
Its not perfect of course, neither am I.
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
in the traditional db world, at least your db creds live on the server-side app.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
Also GCP, storing secrets properly in AppEngine is notoriously difficult and prone to accidental git-commit: https://stackoverflow.com/questions/58371905/how-to-handle-s...
/s btw
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
There are probably countless new projects today that are storing plaintext passwords, or not adding scoping, and so on.
Putting in scopes and ensuring data security for both users and system wide is on the developer.
But sure blame firebase lol
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
Citation, anyone?
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
dlcarrier•7h ago
iszomer•7h ago
zamadatix•7h ago
frollogaston•6h ago
fc417fc802•7h ago
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
iszomer•5h ago
paulpauper•7h ago
klipklop•7h ago
dom96•7h ago
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
fc417fc802•6h ago
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
tempnew•5h ago
hn_acc1•6h ago
Just to register for one-more-app / one-more-webboard? Nope.
WD-42•6h ago
Some private app for rating other human beings? Nope.
tough•5h ago
WD-42•5h ago
djoldman•5h ago
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
tbrownaw•5h ago
gruez•5h ago