'Yo' app hacked by college students, hires one of the hackers

Filed Under: Android, Data loss, Featured, iOS, Mobile

Yo logoYo is crazy simple: you just message "Yo" to a contact.

Or, as the company puts it:

Wanna say "good morning"? just Yo.
Wanna say "Baby I'm thinking about you"? - Yo.
"I've finished my meeting, come by my office" - Yo.
"Are you up?" - Yo.
The possibilities are endless.

It was whipped up in 8 hours of coding at the behest of Moshe Hogeg, the CEO of image-sharing startup Mobli, who didn't have time to call or text his assistant and just wanted a way to hit one big button to do it for him, according to the Financial Times.

Angel investors loved it, to the tune of hurtling $1 million at the Poke-like app.

Within two days of the media becoming aware of the free mobile app, this cyclone swept it up:

  • It bounced past Facebook's newly released, muchly ballyhooed Slingshot app for ephemeral messaging. Mashable reports that amidst the media adoration/incredulity/curiosity, Yo had cracked the top 150 free apps in Apple's App Store by Wednesday night and continued to rise in the rankings until it ranked no. 47 in Apple's App Store by the next morning, blotting out Slingshot, which was then ranked at no. 50.
  • It got hacked by college kids.

Yo, no!

A Georgia Tech student emailed TechCrunch to let the news outlet know that he and two roommates had allegedly hacked the app.

The results, as he told TechCrunch:

We can get any Yo user’s phone number (I actually texted the founder, and he called me back). We can spoof Yo’s from any users, and we can spam any user with as many Yo. We could also send any Yo user a push notification with any text we want (though we decided not to do that).

Users reported seeing this message:

Yo hack

wow. many 1337. such bad

security.

I hacked Yo. Use hashtag

#YoBeenHacked to talk about it.

(1337 is Leetspeak for the word "leet".)

Or Arbel - Yo founder and he of the 8-hour coding behind its birth - has confirmed that Yo was hacked, says it is now fixed, and in a nice piece of PR is claiming they were "lucky" to be hacked.

We were lucky enough to get hacked at an early stage and the issue has been fixed.

We are also lucky because this hack and security breach is really highlighting what Yo is, and what we are all about.

What do I mean? Well...

The object of the app is to be simple. When you join it doesn’t ask you for your email, full name, Facebook account, or any other piece of personal information. The only identity within the Yo app is your username. We don’t want or need any other personal information. We want you to be able to give out your Yo username to anyone or any service without being afraid of suddenly getting a spammy email or a text message.

He said the only users who had their phone numbers leaked were those who had used the 'Find Friends' feature. All users had their usernames exposed, but no contact lists were accessed.

I want to make it clear that your contacts (from your phone’s address book) are never stored in the database, and were never leaked because we simply don’t store them.

And in a nice twist of fate, Or confirmed that he has now hired one of the hackers.

Once the issue was resolved (yesterday noon), we contacted the hackers and verified that the problems had been fixed. One of them is actually now working with us on improving Yo experience in other aspects as well.

Another alleged Yo hack comes in the form of a developer who got it to be a lot more verbose than it's designed to be, though this attack isn't yet confirmed.

In a video posted to Vine, user "hako" shows Yo sounding out a snap of Rick Astley's "Never Gonna Give You Up" instead of its normal "Yo!" sound.

Will you avoid using Yo because of these security glitches? Were you ever even interested in an app that just allows you to "Yo" your friends?

You might like

11 Responses to 'Yo' app hacked by college students, hires one of the hackers

  1. NickG · 123 days ago

    Oy.

  2. Jamie · 123 days ago

    Hiring someone because they're very tech savvy (even enough to hack) is one thing. Hiring someone in which you TESTED their ability, and saw they could hack, I can understand. (Because hacking, while illegal, demonstrates a great understanding of computers, above the average user.) But I wouldn't hire someone for my company that demonstrated a willingness to engage in unlawful behavior. BUT it's also very likely that we are missing key details.

    • Jim · 122 days ago

      Actually, it might be OK. We don't know the details, but IF the hacker was doing it as a service to the app vendor, this could be OK. One would have to check the hacker's history to see if he typically operates as a white-hat or grey-hat/white-hat hacker.

      The key would be intent, but that's hard to pin down with the little info we (the public) actually knows about this guy.

      So, my immediate reaction to your post is "yeah, I agree", but with the proviso that if the hacker seemed to be operating as one of the good guys, then hiring him is a good idea. For example, withholding the exploit from the public until the vendor was able to patch it would qualify him/her as a "good guy" in this context. IMO.

      • Courtney · 121 days ago

        Thank you, Jim. That is exactly my thoughts. As someone interested in doing white-hat work for network security, the fact that this guy got hired by the app devs after telling them what he had done is very encouraging.

  3. Anonymous · 122 days ago

    I'm not interested in Yo in the first place, but my thoughts are: 1) This is what happens when you code an app in 8 hours with no security reviews. 2) It points out that Yo doesn't suck up a lot of data that's none of its business, which not a lot of apps like it can claim these days. 3) It's nice that the Yo founders didn't have a knee-jerk scream at law enforcement to break down the hackers' doors and ruin their lives reaction, which is also unlike a lot of businesses these days.

  4. Frodo · 122 days ago

    Still going strong, #11 on the overall US chart . I like these guys' attitude towards getting hacked.

  5. Anonymous · 122 days ago

    Rewarding a hacker with a job is like giving your dog a bone for biting your ankle.

    • Anonymous · 122 days ago

      It's more like keeping spiders in your house to kill the flys

  6. Anonymous · 122 days ago

    I think it's a good thing to hire a hacker for providing security. These kids probably know more about leapholes then 50 years experienced boring security grandpa's who claim to know everything lol. So yeah, if they want to help why not? It is probably a better investment than hiring a full-professional who got a lot of degrees in computer science but doesn't know about hacking at all. #whoneedsschoolanyways.

    • Jim · 120 days ago

      I'm glad you're not referring to me: I've only got 40 years of hacking behind me. :)

      Seriously, it's a two-edged sword. But, I would venture a guess that almost all security folks have spent at least a little time on the other side of the law. Especially when younger.

      One thing I say all the time (twice today already!): "Why don't these guys get a job?" Well, THIS guy DID get a job.

      But, there is a risk: those who have played on the darker side of computing frequently can't resist the urge to "have fun" there again, even though they're working legitimately now. I've had the opportunity to mentor a few guys who've jumped from the dark side to our side, and one thing I tell them every time (paraphrased):

      "Don't play on the dark side any more. You're working for us now. Get permission to do your hacking, IN WRITING, from the owners of the equipment you'll be hacking. The company will be highly intolerant of black-hat and even grey-hat offenses, and you will get blacklisted. It won't be pretty. So, stay away."

      All in all, it's a judgment call. The business owner has to balance the person's past against their potential value in the future. And, the leash should be short until the person proves their value.

    • NickG · 119 days ago

      I love that you talk about 'leapholes' (?!?) and then hashtag it with 'whoneedsschoolanyways'. You, apparently.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.