
Unlikely hit app Yo is 'hacked' by students - ColinWright
http://www.bbc.co.uk/news/technology-27939799
======
thegeomaster
I'm puzzled when new, "innovative" (well, in some sense) apps such as this get
hit by simple hacks such as this one. I was puzzled as well when some idiotic
misuse of encryption exposed WhatsApp data (I'm not sure if I remember
correctly, but that was the gist of it). Startups bear a distinct culture
around them, and for me at least it means very capable hackers behind them.
But I would seldom consider anyone who'd commit such fundamental security no-
nos a "capable hacker".

But, after all, this Yo thingy doesn't even look like a real startup.

~~~
Quarrelsome
I think its the size of the burden. If you're creating a thing from scratch
and are responsible for pretty much every single aspect of it from dev to
sysadmin PLUS you have CTO responsibilities on top of that you just lose track
of stuff and make the odd mistake.

"I'll fix that a bit later" becomes "I have no idea what code is there anymore
nor even the time to contemplate it".

Perhaps.

------
0xeeeeeeee
It's a data leak...very similar to snapchat's issue and the Apple iPad fiasco
found by weev. It's pretty sad that an App with almost no functionality had
any problem.

It's also interesting how these developers seem to repeat this exact mistake
over and over. I don't understand how people don't see a public facing API
call for mapping usernames to phonenumbers or phonenumbers to usernames as a
bad idea...

~~~
Spearchucker
Because security is not easy. Often when I ask these questions the responses
range from not being worth bothering with because we still shop at Target,
even though they've been hit, to just dealing with a breach after the fact,
rather than being a little more proactive about it.

E.g.
[https://news.ycombinator.com/item?id=7920558](https://news.ycombinator.com/item?id=7920558)

Like I said, security is hard. Microsoft is the only large corporate I know of
with a published security development lifecycle, and while it's starting to
benefit their products they're still not getting it 100% either. Security is
also contentious, because doing it right means forsaking the idea of an MVP.
It also requires design up front. And experience. These sorts of things are
not exactly aligned with the hacker mindset, nor with startup culture.

~~~
0xeeeeeeee
Absolutely security is hard...and it's also not what `Yo' is really worried
about. If they have to worry about security, then they already hit it big and
they can just fix the issue ex post leako.

~~~
krapp
On the one hand, 'Yo' was created in a day. Though maybe the author should've
spent say a week on it.

On the other, it's been proven possible to ignore or botch security until you
have to make a minor show of apologizing for it, without fear of consequence,
if you've already gotten enough traction. Unfortunately, this only seems to
prove to businesses that security is a fruitless endeavor, and a waste of
effort better spent making sure the UI is shinier. On the third, i've had to
explain to people and their startups that SQL injection and XSS even _exists_
, much less that it's a problem worth dealing with _now_ so there might also
be an education issue.

I think the answer would probably be more things which are secure out of the
box. In particular, frameworks and the languages themselves (I'm looking at
you PHP) which interface with the web should default to secure as much as
possible.

------
lotsofmangos
The Game of Thrones producers should release a competing app called 'Hodor'.

------
ogig
'Yo' reminds me to Woof,
[https://www.youtube.com/watch?v=8wfG8ngFvPk](https://www.youtube.com/watch?v=8wfG8ngFvPk)

------
alttab
Because the app has very little purpose, its obvious why it exists at all: It
enables the collection of networked data. But because it was built in 8 hours,
you get what you put into it.

"built in 8 hours", "does basically nothing" but here, ping people through it
and allow us to map this activity to your phone number and user name.

So when this data leaks, everyone gets puzzled. Are we conflating the
importance of the data with the importance of the app?

------
colinbartlett
Discussion from when this happened a few days ago:
[https://news.ycombinator.com/item?id=7920023](https://news.ycombinator.com/item?id=7920023)

