
Yik Yak Hack - yakattack
http://silverskylabs.github.io/yakhak/
======
kapsteur
Like if all new social network need to be hacked before explode : Tinder :
[http://www.cammipham.com/tinder-hack/](http://www.cammipham.com/tinder-hack/)
WhatApp : [http://techcrunch.com/2014/03/12/hole-in-whatsapp-for-
androi...](http://techcrunch.com/2014/03/12/hole-in-whatsapp-for-android-lets-
hackers-steal-your-conversations/) Snapchat :
[http://www.reddit.com/r/Thefappening3/comments/2j4lql/90000_...](http://www.reddit.com/r/Thefappening3/comments/2j4lql/90000_private_photos_and_9000_hacked_snapchat/)

~~~
avbor
I don't quite understand what the hack was for the Tinder one. She just
optimized her profile for likes? And added a banner saying match of the day?
Not the hack I was expecting.

~~~
kapsteur
sorry, the good link : [http://www.businessweek.com/articles/2014-02-19/new-
tinder-s...](http://www.businessweek.com/articles/2014-02-19/new-tinder-
security-flaw-exposed-users-exact-locations-for-months)

~~~
avbor
This one is much more troubling, and fits in more with your other links. I
guess the lesson here is to treat everything like it's a beta, because that
seems to be the nature of app and game development these days.

------
TazeTSchnitzel
Surprising they only used the User ID for auth. Surely you'd also generate a
private key on the device and either use it as a password, or do public key
cryptography to authenticate?

By the sounds of the Wikipedia article the developers were novices, however,
which might be why they didn't think of doing this.

~~~
sssss3333
There's no visible usernames in the app. I'm not sure what good taking over
someone's account would do you.

~~~
smt88
1\. Hack someone in your office

2\. Hack someone in your home (one of your kids for example)

3\. Hack someone in a coffee shop

Generally, when someone thinks they're anonymous and they aren't, bad things
are going to happen.

~~~
tedks
By "hack", you mean "discover the userIDs of users launching the app in your
{office/home/coffee shop}." But this does not equate to a deanonymization of
ANY past posts necessarily. userIDs are generated on app install, so anyone
hoping to be anonymous needs only connect via a VPN to avoid a MITM on that
particular connection, post the anonymous secret, and re-install the app. Then
any further use of the app will not leak that they posted the secret, and in
fact the information has been destroyed.

~~~
woah
And I'm sure that's exactly what most users will do.

------
personjerry
So you can MITM and take over someone's anonymous account, so what? There's no
associated personal information, no logins or anything, so you wouldn't even
know who owns that account, let alone passwords or emails.

You can view all the posts they've made and make a reasonable guess as to
which person it was, I suppose, but that seems like a pretty flimsy argument.

~~~
mikeash
Being able to link an account to a local IP address and MAC address would
probably let you deanonymize the account. At the least, you could find the
wifi MAC and then walk around measuring signal strength until you found the
right table.

------
stryan
This doesn't seem like it will be too much of a practical problem. As said in
the article, YikYak is mostly used on university campuses and odds are if a
student is on campus they would be connected to the university wifi. From
personal experience most university's use some form of WPA2-Enterprise
authentication which which wireshark can't decrypt.

~~~
saidajigumi
> As said in the article, YikYak is mostly used on university campuses

University campuses, where students are constantly using the free WiFi in
cafes, are on private WiFi networks shared with friends, etc. Even if the
University's own WiFi was magically invulnerable, there will be _many_
associated venues ready for use of this exploit.

~~~
pyre
1\. Setup an open access point in the middle of campus.

2\. Give it a default name (e.g. 'linksys').

3\. Capture packets.

4\. Profit.

~~~
scandinavian
There is no profit though, no one uses YikYak for posting anything remotely
important.

~~~
TazeTSchnitzel
Ehh, people sometimes post embarassing/hateful things on YikYak, being able to
out them would be a problem.

~~~
btown
Or to blackmail them so you don't reveal their identity.

------
TazeTSchnitzel
Was this responsibly disclosed? It doesn't seem to say whether it was. I'm
fearing the worst.

~~~
fiberloptic
Does the website disclose who is posting what?

Turnabout is fair play.

------
andrewchambers
They could just one way hash the userid then send that to the analytics
service.

------
johnnycash
Sacrificing users' security just to load ads and generate revenue says a lot
about this company's ethics.

~~~
tedks
Do you know anything about Yik Yak? It doesn't have ads, at least not on
Android.

~~~
johnnycash
The article says they temporarily disable HTTPS to make a call to Flurry,
which is an advertising/analytics company. They must be accessing the
analytics side.

~~~
hrrsn
To be fair to YikYak, they didn't switch off HTTPS, Flurry switches it off by
default. Maybe they didn't know of that? In any case, they should enable it
and Flurry should make it the default.

~~~
JimmehAH
I imagine it's disabled by default because at one point in time (not sure if
it's changed in the last few years) any application on the iOS App Store using
SSL required registration with the US Government for export control.

~~~
hrrsn
Really? That sounds... stupid.

------
hayksaakian
big take away: if you're using dependencies that talk across the internet,
make sure they're ALSO using HTTPS

~~~
smt88
There's genuinely no excuse for Flurry (or any other vendor) to have an API
that is not secured with HTTPS by default. I can't think of any reason other
than stupidity or laziness, and those aren't excuses.

This is especially true of Flurry, which is tailored for connections directly
from devices.

------
marco1
They're hosted on AWS and probably using server name indication (SNI) for
their SSL. Android's version of HttpClient is outdated (and won't be upgraded
[1]). This is why SNI is not supported in that library and this may be why
they chose to use some dirty hacks [2] so that they can use SSL with
HttpClient.

[1] [http://android-developers.blogspot.de/2011/09/androids-
http-...](http://android-developers.blogspot.de/2011/09/androids-http-
clients.html) [2] [https://developer.android.com/training/articles/security-
ssl...](https://developer.android.com/training/articles/security-ssl.html)

------
marco1
"To perform user-based analytics, Flurry needs some way of keep tracking of
individual users. Yik Yak gave them the only user identification they have
available: the userID."

And, while reading the article, we all probably were: "No, please, I hope they
didn't do what I'm afraid is following now ..."

------
skrebbel
What the hell? All that talk, plus a toolkit download, and not a word about
responsible disclosure?

I'm not sure if I'd ever want SilverSky (the firm behind this) to have my
money.

~~~
areohbe
Silversky disclosed this to the Yik Yak team on December 2nd.

The original source appeared on their blog on Friday, December 3rd after Yik
Yak had released an update to the App Store.

[https://www.silversky.com/blog/yik-hak-smashing-the-
yak](https://www.silversky.com/blog/yik-hak-smashing-the-yak)

------
brotoss
Would it be illegal to use this and post photos of the idiots using this app
on my campus with their associated comments?

------
ForHackernews
I don't see how this matters much. YikYak is anonymous, so if you stole my
"account", all you'd get it my yakkarma. Potentially having a history of past
yaks would reveal something about the user (not in my case).

------
UUMMUU
This is the app that all those highschool kids almost killed themselves over
right? Hack away, I would say responsibly disclose but this app only hurts
people.

------
at-fates-hands
So another session hijacking hack using easily available tools?

------
Yadi
Oooow snap!

------
_almosnow
A truly futile 'vulnerability'.

~~~
pyrois
Sorry, in what way? Because Yik Yak is pointless?

~~~
bduerst
Probably because the hack is value-less.

I doubt the users find the app pointless, but there isn't much reason to steal
someone's account. You can't even link it to their real name to blackmail
them.

~~~
pyrois
Sorry, I'm really ignorant about these things, but once you have the ip of the
phone that sent some message, couldn't you trace that to the physical phone?
So you want to know who posted "foobar", you wait until you have someone's
user id that posted "foobar", and then use the IP address of the most recent
outgoing message to identify the phone. Since there's typically one user per
phone, won't that identify the user?

~~~
lnanek2
Knowing the IP is pretty useless. The closest you can get publicly if you know
that is the general region, but this app is already a nearby radius app, so
you already know that. If you have law enforcement powers you can try to get
the subscriber info who was using that IP during that time period, but normal
people don't have that ability.

Even the article has to fall back to saying you have to just keep monitoring
packets with that IP and hope the user uses some non-HTTPS web site that
reveals their name. Although, honestly, most ISPs don't give you a static IP
any more so the same user could be a different IP address multiple times a
day.

~~~
mintplant
As demonstrated in the article, this gives you a local IP address which you
could use to find the hostname of the device. For iOS devices, the hostname
often contains the owner's name.

------
fataliss
I still don't quite get why people would want to disclose real private message
anonymously on the internet. It should be common knowledge that nothing is
ever 100% secure. It's all about the amount of efforts people are ready to put
in order to hack it. For me it's a pointless app, with a hack that require way
too much effort to get such a small value. But that is nonetheless a
vulnerability and I agree that this reveals some neglecting from Yik Yak
engineers. It's a big fail for them to be advertising privacy when they don't
even check the security of the 3rd party tools they include in their flow.
This should serve as a reminder for the rest of us engineers to never blindly
trust 3rd party tools and always cover your ass! Thanks for sharing :)

~~~
unknownian
>real private message

That's not the point of Yik Yak. You're just broadcasting to the community,
and rarely is something super incriminating posted, at least in my college's
community.

