This Week in Security: Spilling Tea, Rooting AIs, and Accusing of Backdoors

Wait 5 sec.

The Tea app has had a rough week. It’s not an unfamiliar story: Unsecured Firebase databases were left exposed to the Internet without any authentication. What makes this story particularly troubling is the nature of the app, and the resulting data that was spilled.Tea is a “dating safety” application strictly for women. To enforce this, creating an account requires an ID verification process where prospective users share their government issued photo IDs with the platform. And that brings us to the first Firebase leak. 59 GB of photo IDs and other photos for a large subset of users. This was not the only problem.There was a second database discovered, and this one contains private messages between users. As one might imagine, given the topic matter of the app, many of these DMs contain sensitive details. This may not have been an unsecured Firebase database, but a separate problem where any API key could access any DM from any user.This is the sort of security failing that is difficult for a company to recover from. And while it should be a lesson to users, not to trust their sensitive messages to closed-source apps with questionable security guarantees, history suggests that few will learn the lesson, and we’ll be covering yet another train-wreck of similar magnitude in another few months.The Pi-hole (And Many Others’) Donor LeaksThe folks at Pi-hole are leading the charge in reporting on the leaks of the name and email addresses of donors to that and many other projects. The problem was actually in version 4.6.0 of GiveWP, a popular WordPress plugin.Well this sucks: @The_Pi_Hole, my favourite maker of network-level blocker of nasty things, has inadvertently been caught up in a data breach by virtue of a WordPress plugin they use for donations: https://t.co/ANSMIA5u5G— Troy Hunt (@troyhunt) July 30, 2025The details of what happened aren’t pretty. The plugin had a bug where it was injecting the entire donor list into the source code of the site using the plugin. The only redeeming element here is that those leaks were strictly limited to name and email address. But of course, that’s enough for bad actors to scrape the lists and start sending spearphishing emails, which has already happened.One more thing to cover regarding this issue is the response from Impress.org, the makers of the plugin. The problem was fixed within hours of the report on GitHub. This turn-around is great, but the vulnerable plugin was out for a full week before it was disclosed to the authors. The official comments from Impress.org on the GitHub issue linked above fall just a bit short on recognizing the severity of the issue, and taking responsibility. At the same time, it’s extremely challenging to strike the right note when writing up a response to an issue like this.Pi in the BankWe’ve covered a case or two where a mysterious Raspberry Pi was discovered on the network, but this one is a bit different. First off, the network in question belongs to a bank. And second, this Pi had a 4G cellular modem strapped to it.It turns out, this device was dropped as part of a scheme by the cyber crime group tracked as UNC2891. This attack has been reported to have taken place in Asia, with not much more details about the target. It’s believed that this was an attempt to infiltrate the bank’s ATM network, and eventually compromise a Hardware Security Module (HSM), and ultimately steal money from the bank.This attack was quite sophisticated, with a new technique demonstrated, to hide malicious processes via Linux Bind mounts. This works by bind mounting an existing processes /proc/ folder over that of the process to hide. Many utilities won’t catch the switcherwoo, as the kernel file handling will follow the bind mount over the real files. Though we do take some issue with the write-up referring to a bind mount as an “obscure Linux feature”.And since we’re talking about banking, do you know how wire transfers actually work? It turns out, it’s an ASCII file just under 1k, sent using SFTP. There are some very old quirks to these files, like the insistence that the number of lines in the file be a multiple of 10, and the padding with 9s.When you make a Bank ACH transaction, it’s literally just an SFTP upload.Sent as a NACHA file, it's 940 bytes of ASCII text.Bank-to-Bank transactions cost ~0.2 cents. As long as it travels via encrypted tunnel; it’s compliant!Here’s how the quirky system works: pic.twitter.com/NHewY8Ojgn— LaurieWired (@lauriewired) July 29, 2025Rooting the Root AIsThere have been a rash of stories recently about what can happen when an agentic AI has too much power and ineffective guard rails. This week is no different, with the first story being about prompt injection in Gemini. This AI agent does have guardrails, in the form of a whitelist of commands that it is allowed to run on the system. The problem is that it’s not always apparent to users what commands have security implications.Then there is Copilot Enterprise, which gained a Python sandbox and Jupyter Notebook earlier this year. And Copilot is perfectly happy to help the user troubleshoot how to run commands using the %command syntax. That gives just enough purchase to get root access in the Jupyter container, but that’s where this exploitation ends. It is interesting, how often the key to compromising an AI is simply to ask nicely.Zero-Trust Falls to CSRFWe don’t know the start-up that this penetration test tested, but we do know that they were building a zero-trust platform for secure VPN-like access. The entire stack was defeated by an attack as simple as a Cross-Site Request Forgery (CSRF) and an improper Cross-Origin Resource Sharing (CORS) configuration. JavaScript running on a malicious web page could use these two weaknesses to access an SSH key generation utility on the target infrastructure, and smuggle the key out. This lead to a complete AWS identity takeover and more. It was a complete win for the red team, and immensely valuable to the client to find this vulnerability chain this way, rather than in production.Nvidia Backdoors?The other big news this week is what sounds like an accusation from Chinese officials that Nvidia has put a backdoor in its new H20 device. These Enterprise GPUs are engineered specifically for export to China, to meet the current US export restrictions around AI hardware. It’s unclear what exactly is going on here, but it’s not very likely that Nvidia actually put backdoors in their hardware, regardless of the intended market.Bits and BytesCISA has released a new security tool as Open Source. Thorium is a new file analysis tool designed to safely investigate binaries.CrushFTP has an RCE because of missed authentication check on an endpoint. It allows an XML-RPC call to request the use of system.exec, which does exactly what it says it does. This manages a 9.8 CVSS as it’s unauthenticated, simple to pull off, accessible from the network, and grants RCE.And finally, what certainly wins the simplest hack of the week award, [Mahmoud El Manzalawy] was looking at a CRM solution, and discovered an HTTP POST call that was replying with a 201 status, indicating it was successfully inserting a record into the remote database. What happens if that POST was changed to a GET and resent? The application responds with a full dump of the user database. It’s not supposed to do that. Which seems to sum up everything we cover in this column.