People invested $1.2 million in an app that had no security
Proving that no one learned from Snapchat's security and privacy spectacle, people invested $1.2 million in an app that had essentially no security.
Despite the news it was hacked only days after its media fanfare, Yo still isn't coming clean.
Last week free Android and iOS app "Yo" was top in Google Play and iTunes downloads and hot in tech press, with much fanfare focusing on its pointlessness, popularity and sizable cash backing.
By Friday night the app had been hacked five ways until Sunday (literally).
Smart of Yo to monetize by open-sourcing everyone's phone numbers.
— Prof. Jeff H Jarvis (@ProfJeffJarvis) June 20, 2014
After Friday night's report Yo had been hacked and people were sending "Yos" as Elon Musk (among other things), Yo founder Or Arbel told TechCrunch that Yo was “having security issues.”
On Saturday Arbel wrote in a Medium post, "We were lucky enough to get hacked at an early stage and the issue has been fixed."
If you haven’t used the FIND FRIENDS feature, the only piece of information that was leaked was your Yo username.
The optional feature of FIND FRIENDS uses your phone number to let you know who of your friends are using Yo. I want to make it clear that your contacts (from your phone’s address book) are never stored in the database, and were never leaked because we simply don’t store them.
But that's not exactly true.
Yes, it's possible to grab anyone's phone number on Yo. pic.twitter.com/dTPiXAsfsk
— Jason Dinh (@xuki) June 20, 2014
In terms of safeguarding user information, Yo left the baby in the shopping cart at the grocery store during a zombie outbreak of Pedobears.
@ws With enough poking, you can find their entire database of all Yo’s sent which has the usernames of everyone.
— Joe Torraca (@jtorraca) June 20, 2014
"Yo" application is reading your full contact book and is probably creating a huge database of users like TrueCaller did. (Hint: Markcom)
— Matt Suiche (@msuiche) June 21, 2014
@ws I was having a poke around last night, and you're right - 10 minutes and you've got all the info you need to launch a serious attack.
— Jamie Hoyle (@mightyshakerjnr) June 20, 2014
Yo still has major auth issues. Seems you can login as anyone with a blank password
— Hubert (@hubert3) June 21, 2014
Yo's response was less than adequate.
Perhaps I'm being unfair -- I've been accused of this in the past. Though I'll argue that it takes a village to abandon a baby. TechCrunch looked much deeper than my superficial pass from the start, introducing Yo as "the hottest new app" and "the beginning of a new era."
In fact, TechCrunch went colon-deep to promote Yo, philosophizing that "Yo’s digital dualism play is far more understated, but perhaps more universal."
It was a stellar write-up, whatever it meant. And I'll concede that under the weight of such praise, I'll bet it's easy to space out on the whole "user security" part of your job.
The Yo devs did absolutely nothing to try and prevent this from happening. It’s only a matter of time before someone malicious discovers.
— Will Smidlein (@ws) June 20, 2014
@jtorraca @ws They did literally nothing to lock stuff down. The unthoughtfulness of some developers scares me.
— Daniel Tomlinson (@dantoml) June 20, 2014
Tech Pro Research
It's tempting to congratulate Silicon Valley for producing another Snapchat -- a venture capital vehicle much like a bus, under which users are thrown. While a new CSIS report estimates that the global cost of hacking and cybercrime is $445 billion annually, the people with the most power, money and influence are practically giving away their user databases to anyone who tries the front door just to see if it's unlocked.
Some might argue that dumb users get what they deserve; that the 500K people who signed up for Yo are equally as stupid as -- well, anyone who had a hand in delivering this data theft honeypot to the public. But that wouldn't be correct. You can't accuse people of stupidity when they've been deceived.
By signing up for Yo though the Play Store and iTunes, each of Yo's users had a reasonable expectation of some vetting, of a baseline security.
Go down the failure and deception chain any way you like with this one, but make sure you pack a sandwich because you'll be lost in that funhouse of #fail for a while.
"[Success] is not about the technology, it's about the execution."
If Yo is an example of typical Silicon Valley business practices, then we're in a lot of trouble.
@copiesofcopies @thegrugq @xuki @Matt_Cagle Yo: a new record for ratio of attackable surface area to functionality
— Parity (@pty) June 21, 2014