Hacker News new | past | comments | ask | show | jobs | submit login
We found critical vulnerabilities in Hive Social (zerforschung.org)
219 points by pantalaimon 60 days ago | hide | past | favorite | 78 comments

Hive is a My First App project from a teen who taught herself to code in 2019 (https://www.hivesocial.app/about-us).

Caveat emptor.

that's such a success story hitting 1M users as a hobby project, let alone from a teenager. I've never done anything close to this, and not for lack of trying...

I've been in Bay Area high tech software for a long time now, and more recently I've been participating more in the indie hacker scene. It is fascinating to me that I do know many extremely talented engineers who either dream of setting out on their own and never do, or they try and repeatedly fail. Then random novices in circumstances far removed from tech teach themselves a little coding online and start making 5 figure MRR quickly.

There are somewhat obvious explanations. Coding is only one subset of the skills to launch a successful software business, and not even the most important one. There's also a huge element of randomness and luck, especially for a single given project and especially for any type of free b2c social app. Also, people outside Silicon Valley bubble have access to unique social circles that can serve as community "bootstrapping", which would be especially important for a social app

Even knowing all that, there's an element of surprise when you see it happen.

I do suspect another big factor is that experienced people overthink things a bit, much like a child seems to learn a language faster than an adult but may only be more willing to make silly mistakes. Many of the best startups and indie projects would never be started by many experienced engineers because they're perceived as too simple, the market is too saturated, or simply they feel they'd look foolish for trying and failing to do something simple instead of trying and failing something complex.

> I do suspect another big factor is that experienced people overthink things a bit, much like a child seems to learn a language faster than an adult but may only be more willing to make silly mistakes.

The term for "failed to implement any kind of authorization in the API" isn't "silly mistakes", it's "professional negligence".

It's unethical to learn 101-level stuff by playing around with a million people's personal information. These guys should turn Hive off and never, ever turn it back on.

I think it's more that people outside of tech often also have great ideas that could potentially make a great MRR quickly, but most never even try, then a lot simply fail and you never hear from them too, then there's the ones who actually do learn all the coding required and other skills to make a successful website and actually do become successful, but by then the people you hear of being successful are of course just a small subset of the people who actually had a great idea for a successful business that would make high MRR quickly. So, to me, the idea or the need being solved is the primary driver of what ultimately makes a business successful, even though of course so many skills are required, amongst other things too.

All those things could be the case, but I think the most likely is that its just random, and unlikely you'll ever succeed in the first place.

Case in point, why did you first learn programming? Probably because you wanted to build something, maybe because you thought it could be a success. Everybody starts as a non-tech person getting into it with a specific goal, really what makes you a programmer is the fact you failed, and unless you gave up you tried again and learnt and became better at your craft. Not to say that those that succeed the first time don't, but its not as much as natural process.

I started programming, as a lot of people do, because I wanted to make a game (and still do), and like a lot of people that first get into game dev, my first goal was to avoid doing that messy programming work myself and find someone that can do it for me. Again, like many, I tried this for a while, until someone reminded me that everyone who does this got into it for the same reason as me, and if they know what they're doing why would they drop their dream game for mine (unless I was paying).

In this case, I suspect the biggest factor is simply having the right product at the right time. Twitter goes to hell and you've got a Twitter alternative ready to go? That's the perfect timing for a successful product/service.

It's no surprise that things like Hive, Mastodon and Cohost have exploded in popularity recently.

Of course, whether these products will be the ones that do well in the long run is still an unanswered question. Hive's security issues and temporary shut down came at the exact wrong time, Cohost's invite system is probably crippling it and people are still not 100% sure how to use Mastodon in some cases, so only time will tell which if any takes off.

Overthinking is definately it. Sometimes ignorance is bliss. It feels like the more I know, the more I know I don't know.

> that's such a success story hitting 1M users as a hobby project, let alone from a teenager. I've never done anything close to this, and not for lack of trying...

Sounds like a lot of it is just being in the right place at the right time. Apparently most of the growth consists of people trying to flee Twitter due to Musk. Though doing that sounds like jumping from a sinking ship into a toy paper boat.

To be fair to them... thats a brave step for a startup to take. So many would try to stay quiet and fix the issues behind the scenes (hell, giant companies try this attempt all the time!). They made the right move here.

NB, I don't use Hive and have no interest, I moved to Mastodon because I want to be in control of my data moving forward.

it would have been brave if they'd done so when they were alerted to the issues. doing so once they've been made public? not so much.

Of course and ironically, I can't tell whether this is the real Twitter of Hive.

I wonder if I'll be able to determine the real Hive of Twitter if things switch.

Same problem their website has. And every website. You can still find out who someone is without relying on the platform to to the identity checks.

haha the only ethical alternative is the ActivityPub ecosystem.

If that (Mastodon or other implementations) are not good enough, make your own or get involved with the W3C to standardize AP v2.

4 days from reporting to public posting is not a responsible disclosure policy. Even if they are slow in responding, the usual grace period is about 4 weeks if I recall.

1. They haven't disclosed anything of use to an attacker.

2. According to the post, Hive responded and said the issues had been fixed. Obviously they haven't, and at this point OP seems to have decided that the most responsible thing to do was to warn users of the platform that they aren't safe.

I don't really see a problem with this.

> 1. They haven't disclosed anything of use to an attacker.

I also don't believe this is "responsible" disclosure, but I also don't think it's fair to say this information is of no use.

To me this clearly signifies that there is no back-end authentication on their API. The whole app is probably written in JS with a simple database on the backside with no serious middleware on the server side. It would probably not be difficult to reverse engineer this hack by monitoring requests using simple dev tools, and then simply replaying them with altered content.

If that's the vuln, then they were going to be cracked wide open by half the script kiddies on the planet as soon as they got any sort of adoption.

That is precisely what you are seeing here.

I wouldn't call Zerforschung script kiddies, though.

Where does it say Hive claimed the issue had been fixed? I think you misread it.

"After multiple days and multiple reminders by us, they claimed to have fixed all issues."

It says "After multiple days and multiple reminders by us, they claimed to fix them within the next two days." now.

They don't offer a guide or any details about the exploit, this isn't really disclosure in the normal sense. Aside from any possible alterior motives the author may be just trying to light a fire under hive social's ass to get it fixed.

In kindness and for future reference, the word you're looking for is spelled "ulterior".

So, not disclosure from a security ops / policy perspective, but it is 'disclosure' this the equivalent of a 'here be dragons' comment on a map ... an endorsement for the 'curious'

This isn't disclosure

I wanted Mastodon to replace Twitter so we can finally see a mainstream Federated social media, to break free of corporate control over social expressions.

But with the Hive there is nothing unique, its a Twitter clone, which doesn't offer any technical or operational benefits, and also no major features.

if we are still going to use a centralized network, might as well just continue using Twitter, a network with an existing social circle.

> its a Twitter clone

Is it? From what I've seen it's more of a Instagram clone and I am stumped as to why folks are switching to it as a Twitter alternative.

The problem of Twitters ownership and moderation remains

As if Hive is going to be any better?

It may be. I don’t know their policies.

But whatever you thought of the old Twitter policy, that obviously changed. And they could’ve made that change without a new owner if they had chosen to.

He who owns the server sets the rules.

jwz says Marc Andreessen is an investor, so no.

Got a price on Andreessen being an investor in Hive? I just checked in Crunchbase and it looks like they’ve raised $3M but no specifics. And all I’m able to find is that it’s from an unnamed angel investor.

$3M seems small potatoes for Andreessen unless he’s trying to do a Tab vs Diet Coke thing and corner all the options.

No, he says he's an investor in Post.News - "Post Dot News also seems absolutely vile. First of all, Marc Andreessen is an investor [...]"

What's the "problem"?

That 75% of Twitters userbase, per their own admission, is not from the USA, and fall under laws that requires Twitter to do better at moderating their platform.


I mean, would be quite sad for Elon if those non-US nations pulled Twitter from their markets.

I thought that had been solved recently, no?

Solved for some, messed up for others.

No, but it did recently change.

Is this about Trump, Kanye and the Babylon Bee being unbanned?

Critical security vulnerability in an iOS-exclusive app? I bet they're using CloudKit and forgot to implement server-side access control. (Even Apple screws that up half the time: https://labs.detectify.com/2021/09/13/hacking-cloudkit-how-i...)

summary quotes:

> The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.

> Attackers can also overwrite data such as posts owned by other users

no authorization on some endpoints + enumeration I presume

At least one other person reported Hive Social vulnerabilities recently: https://twitter.com/zhuowei/status/1597739467645030400

Slightly off topic:

In the video of the post you can see an option of run a script in an iPhone.

What's that option? It's really an iPhone? What are the capabilities of that functionality?

its with the shortcuts app. you can make little actions that appear in the share menu. I have one for downloading videos from twitter for example. It’s pretty limited in what it can do, but ive seen some cool shit people have made with it

I once needed to download PDFs from emails, and then post just one page from each to a Web form – and all I had was an iPhone and 3G at a Caribbean beach bar. Shortcuts are less limited than I thought!

yeah, shortcuts are insanely underrated.

A twitter vid downloaded shortcut is awesome, did you make it yourself or is it generally available?

Woah so it has MySpace aspects

What do you mean? iPhone is MySpace?

I meant the being able to run any customizable script aspect for a social network site. Xanga also allowed that too, iirc

Hive Social doesn't have that. The script here is on the iPhone.

Don’t worry, I won’t.

Snark aside, I think the current platforms are going to be the only ones folks use; and then there’s going to be stuff that is entirely different.

These clones are getting just silly.

Wouldn't be surprised if it was just replacing a post ID in the update call to someone else's post and server thinks it's fine. Anyone investigated yet?

[edit] Just read they took the server down, we will never know now.

[edit2] Astonishing how supportive the users are. I don't think a lot of users want to understand that all their data is on the streets. It's like they're actually deciding in what they want to believe. Seems to be a trend in society.

They couldn't have given them even a week before disclosing? Seems more black hat than white hat to do the disclosure this way (resulted in the app getting taken down).

> After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported still exist...

its a bit unfair to imply they engaged in some kind of irresponsible disclosure, they haven't disclosed any of the exploits.

Just want to point out that Hive Social is completely unrelated to Hive Blog (which is also a social network of sorts on the Hive blockchain).


Oh, thank goodness the other hive is as safe as crypto.

Is there a 'rick-rolled' meme but with blockchain?

Also unrelated to TheHive project, a security incident response tool.


There also seems to be something similar to Slack that's called Hive. Not very unique name.

Would love to see insights on how https://www.kooapp.com/ is?

It's a right wing Twitter for India.

TLDR: Mastodon is more secure than Hive Social.

Well.. That's an understatement.

Is it? Can't people read your DMs on Mastodon as well? If that is your concern then seems like all things are equal. I'm being somewhat obtuse but I don't see how Mastodon is a reasonable replacement for Twitter.

> Is it? Can't people read your DMs on Mastodon as well?

"People"? No. Server operators, yes, but that's true of Twitter as well.

The disclosure, here, is that anyone can read private messages. Oh, and also edit posts.

Unless a service or protocol provides end-to-end encryption, you should not use its messaging features for anything truly sensitive.

And no, this is not equal. The Hive authors seem to have completely failed to implement authorization for their API, allowing (it seems) anyone with a valid auth token to make a request as any other user, granting everyone access to everyone else's data.

This is a "car company doesn't know what seat belts are" level of incompetence.

Did you really have to add one of the internet's most-hated songs to your screen recording like it was some cheap TikTok?

Yeah, that seemed quite immature and unnecessary.

It would helpful if the reporter confirmed that this is an issue with this particular front-end and not with Hive in general.

Steem/Hive was the first web3 offering and a lot of new 'web3' projects that are getting a lot of publicity have yet to catch up the basics that Steem/Hive had in place 6 years ago.

Wrong hive.

This is a social network that has recently exploded. My understanding is a ton of games industry people moved to it off Twitter.

It has nothing to do with “Web3”. It’s not a front end.

It’s a native iPhone app. No web presence at all at the moment.

Thanks TIL. That would be helpful information for the reporter to include too.

Sure. Personally I’ve never heard of the Hive you’re talking about. Perhaps it was the same for the reporter.

+1, I'm not sure what the "other" Hive is, but it seems to have a lot less mind share, making a disclaimer unnecessary.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact