‘Yo’ app hacked by college students, hires one of the hackers

'Yo' app hacked by college students

Yo logoYo is crazy simple: you just message “Yo” to a contact.

Or, as the company puts it:

Wanna say "good morning"? just Yo.
Wanna say "Baby I'm thinking about you"? - Yo.
"I've finished my meeting, come by my office" - Yo.
"Are you up?" - Yo.
The possibilities are endless.

It was whipped up in 8 hours of coding at the behest of Moshe Hogeg, the CEO of image-sharing startup Mobli, who didn’t have time to call or text his assistant and just wanted a way to hit one big button to do it for him, according to the Financial Times.

Angel investors loved it, to the tune of hurtling $1 million at the Poke-like app.

Within two days of the media becoming aware of the free mobile app, this cyclone swept it up:

  • It bounced past Facebook’s newly released, muchly ballyhooed Slingshot app for ephemeral messaging. Mashable reports that amidst the media adoration/incredulity/curiosity, Yo had cracked the top 150 free apps in Apple’s App Store by Wednesday night and continued to rise in the rankings until it ranked no. 47 in Apple’s App Store by the next morning, blotting out Slingshot, which was then ranked at no. 50.
  • It got hacked by college kids.

Yo, no!

A Georgia Tech student emailed TechCrunch to let the news outlet know that he and two roommates had allegedly hacked the app.

The results, as he told TechCrunch:

We can get any Yo user’s phone number (I actually texted the founder, and he called me back). We can spoof Yo’s from any users, and we can spam any user with as many Yo. We could also send any Yo user a push notification with any text we want (though we decided not to do that).

Users reported seeing this message:

Yo hack

wow. many 1337. such bad

security.

I hacked Yo. Use hashtag

#YoBeenHacked to talk about it.

(1337 is Leetspeak for the word “leet”.)

Or Arbel – Yo founder and he of the 8-hour coding behind its birth – has confirmed that Yo was hacked, says it is now fixed, and in a nice piece of PR is claiming they were “lucky” to be hacked.

We were lucky enough to get hacked at an early stage and the issue has been fixed.

We are also lucky because this hack and security breach is really highlighting what Yo is, and what we are all about.

What do I mean? Well...

The object of the app is to be simple. When you join it doesn’t ask you for your email, full name, Facebook account, or any other piece of personal information. The only identity within the Yo app is your username. We don’t want or need any other personal information. We want you to be able to give out your Yo username to anyone or any service without being afraid of suddenly getting a spammy email or a text message.

He said the only users who had their phone numbers leaked were those who had used the ‘Find Friends’ feature. All users had their usernames exposed, but no contact lists were accessed.

I want to make it clear that your contacts (from your phone’s address book) are never stored in the database, and were never leaked because we simply don’t store them.

And in a nice twist of fate, Or confirmed that he has now hired one of the hackers.

Once the issue was resolved (yesterday noon), we contacted the hackers and verified that the problems had been fixed. One of them is actually now working with us on improving Yo experience in other aspects as well.

Another alleged Yo hack comes in the form of a developer who got it to be a lot more verbose than it’s designed to be, though this attack isn’t yet confirmed.

In a video posted to Vine, user “hako” shows Yo sounding out a snap of Rick Astley’s “Never Gonna Give You Up” instead of its normal “Yo!” sound.

Will you avoid using Yo because of these security glitches? Were you ever even interested in an app that just allows you to “Yo” your friends?