

Yo App Allegedly Hacked By College Students  - intull
http://techcrunch.com/2014/06/20/yo-app-allegedly-hacked-by-college-students/

======
DigitalSea
The Yo joke keeps on getting funnier. First 1.2 million dollars of funding for
an app that allows you to send, "yo" to your friends and now this hack. What
the hell was the money spent on? It certainly wasn't security. I'd imagine the
developers threw a massive party with kegs and thousands of pizzas with the
funding money because lets be honest: Yo is an MVP product that is not refined
nor innovative and could be built by a 14 year old with a Udemy course on
Objective-C. The fact it supposedly took 8 hours to build and started off as
an April Fools Day joke says it all, right?

I like stupid apps and things like this, but the fact this received funding
just reminds me of 1999. Apps like this shouldn't take funding, they're short-
lived hype apps, they're not the next Twitter or Facebook. Can the bubble just
pop already please? Save the VC funding for startup ideas that actually
deserve it. This is the pet rock of mobile apps.

At least Mike Judge has a plot he can adopt for season two of Silicon Valley
though.

~~~
madeofpalk
Maybe they haven't spent the 1.2 million dollars? Maybe they and their
investors know a little bit more than we do and have something up their
sleeves.

What we do know is they sure have recieved a lot of attention they wouldn't
have otherwise.

~~~
etler
There's so much potential for this app, they could add a keyboard and allow
you to send any message you want for instance...

------
Spearchucker
I have little sympathy for Yo - it's indicative of the cavalier (arrogant?)
attitude many seem to have towards security these days. There's this prevalent
minimum viable product attitude lately that seems to make app developers think
security is something you can think about later.

It isn't. You have an obligation to your users and the personal data they
entrust you with. Build it in. Today. And know that you can't write secure
code as part of an agile process. Security means sitting down and working out
a threat model before you jump into code, user needs and backlogs. In other
words, choose design up front, or have a contingency ready because you're
going to get hacked.

~~~
Kiro
You're wrong. I can think of many apps where security shouldn't be the main
focus. Apps where neither the developer nor the users really care if it
happens. Yo is one of them.

~~~
Spearchucker
I didn't say it should be the main focus. Also, your comment demonstrates my
point (thanks for that). It's arrogant, and demonstrates a lack of insight. If
they don't, Yo _should_ care. As I mention in another comment below, this
impacts their reputation. Imagine if the developers of Yo build something that
really should be secure one day. First thing I'd think is they don't bother
with security, so I won't use that app. Or the developer interviews somewhere
else one day -

 _Interviewer_ : "So dude, what have you done in your career?"

 _Yo dev_ : "I built Yo."

 _Interviewer_ : "Yo got hacked. Goodbye."

~~~
danielweber
. . . said no interviewer ever.

And as selfishly awesome as it would be for my career if security holes became
career-ending mistakes (hire me so you don't lose your job!), the only people
who haven't written software with security holes are those who haven't written
software.

~~~
Spearchucker
I get it. Because absolute security is an impossibility, we just shouldn't
bother at all.

See what you and I did there? Extremes, both sides of the argument. I know
that no interviewer says that - it was done to illustrate my point.

------
paul9290
Great marketing, everyone is talking about the app now. Just heard it on the
FM radio.

The title of the article even hints to this be marketing.. "allegedly."

I don't believe much of anything I see on the Internet. I think you shouldn't
either!

~~~
joekrill
Well if you scroll down to the "Update" portion you'll see it's been
confirmed. Alas, that's by the CEO, so I guess theoretically this could all be
one big scheme. But they were getting quite a bit of hype before this security
issue(s) arose.

------
sillysaurus3
Is it wise to advertise that you've hacked any app in this social climate?

Theoretically, could the founder of Yo have pressed charges against the
student? (This would, of course, be complete suicide for any startup. But
companies aren't always rational actors.)

~~~
onuryavuz
Nope, they are white hat. Hacking a product/app/website and not talking about
it, not warning the founder is the problem.

In fact, what those guys are doing increases the collective conscious and
improves the system to be able to develop better/safer products.

~~~
stackcollision
I recall a case where the courts did not agree with you. I can't remember
names or many details, but the gist was that some guy realized that one of the
pages was taking an fdat argument that was his userid, and by simply
incrementing that number he could retrieve the data of any user he wanted. He
presented his findings to the company (something major, like AT&T maybe), and
they immediately sued him. He fought in court saying he wasn't malicious and
was "white hat" as you say, but I believe he was convicted.

Does anyone remember this case?

~~~
danielweber
Weev. Search HN, there are hundreds of conversations about that case.

------
isaiahturner
I came here to talk a little about Yo. I was one of the original people to
"hack" the app and updated the message to say "Tweet #YoBeenHacked" at about
3AM EST on June 20th. This is the hashtag that has sense been used.
Approximately 15 minutes after doing this, I received a call from Or, the
founder and CEO of Yo. Or, Chris, and I talked for about an hour and fixed a
few issues then. From that point on, the message could not be updated.

The issues with Yo were not entirely Or's fault. As he put it, the app was
intended as a "prototype" and had it not blown up so fast, this would not have
been an issue. A common claim is "You have 1 million dollars, hire someone to
fix this!" which Or had already done. A meeting with the parse team had
already been scheduled long before today and had everyone tried to hack the
app today, the attempts would fail. During this meeting Parse's Security team,
Or and I fixed the security issues. I would be happy to answer any other
questions, post below.

During the conversation Chris and I were both offered freelance jobs. Chris
declined, I accepted. I currently am working on a feature for Yo to update
your username.

~~~
jsinghdreams
How was the Yo app hacked to play sounds('rick roll') that weren't originally
in the app binary?

~~~
isaiahturner
Or came to the conclusion those people changed the binary and that they were
on jailbroken devices. Those videos were faked so to say.

~~~
jsinghdreams
Gotcha. The binary only has two .mp3 files; yo.mp3 and yoyo.mp3.

------
jyz
Georgia tech alum here. Whoever did this, I may have a job offer for you!
Awesome!

------
uptown
And suddenly 'Yo' has a path to monetization ... litigation!

------
irfan
The app uses parse.com API for all communication (and probably for all data
storage) and I haven't seen it communicating with anything other than parse,
getsentry and flurry services.

Does hacking the app means hacking parse.com?

~~~
fredsted
Maybe the hackers found their API keys in the app binary.

~~~
infinite_snoop
Ok, I took another look and all the Parse keys are in a very obvious place!

~~~
infinite_snoop
I'm interested in how you can conceal these API keys in Android, there does
not seem to be any recommended approach.

Obscure methods like wrapping them up in C native code get mentioned. I'm
assuming Proguard does not help?

------
ulfw
Those students have done a better jop than the original app developers and
deserve a million dollar more than funding for a 'Yo' app. Please. Let's be
serious.

------
jacquesm
App now sends 'Ya!'.

~~~
zedadex
"Oy!"

------
jwheeler79
'bringing on a specialist security team' (i.e. better programmers who know
what the fuck theyre doing)

------
mantraxC
Quick! Give those students one million dollars in VC funding!

Just think about it. We have more and more flash-in-the-pan shoddily written
apps in mobile.

And because they're flash-in-the-pan, for a time, they're popular. And because
they're shoddily written, they're easily exploited at the peak of their
popularity, so you can amass a ton of personal information from the app users
and abuse it any way you want.

Hacking crappy mobile apps may soon become the new "my WordPress blog got
hacked". Think of the potential, it can be a whole new industry. Not to
mention all the fake diplomas, mortgages, Russian brides and Cialis pills
that'll get sold in there.

