updated 03:50 pm EDT, Sun June 22, 2014
Georgia Tech students hack single phrase messaging service, help team fix issues
The new messaging app of the moment Yo, which sends out only the phrase "Yo" to contacts, was hacked last Thursday by a group of students allegedly from Georgia Tech, according to TechCrunch. The hack allowed the students to spam users of the messaging program, as well as send push notifications with custom text. Yo confirmed through Twitter that it was working on security issues that had been brought to the team's attention.
We are working on the securities issues that came to our attention. We want you to know we take this very seriously.- Yo (@YoAppStatus) June 20, 2014
The messaging app, which is currently listed as the sixth most popular free iPhone app, was alerted to the hack after one of the students reached out to founder Or Arbel. Arbel confirmed that the app was having security issues, but didn't give details on the hack at the time. The Yo founder outlined the events leading up to the fix on his blog.
After receiving a text message asking if he was the founder, Arbel was spammed with "Yo" messages and issued a push notification that the app had been hacked. The Yo team went to work in an attempt to find out what had happened, closing one hole before another was addressed. During the course of the fix, the hackers emailed Arbel the details of the hack, and provided help.
The larger problem was that the database had open access from the app. This meant that anyone could read what user information was stored. However, a team came together to solve the problem, to which the hackers verified was fixed. One of the hackers is now working with the team to improve the Yo experience.
In the blog post, Arbel also highlighted one of the features of the Yo app. Since it works on such a minimum level, no information other than a user name and associated phone number were exposed as a result of the open database. The application asks for no personal information, and the information it does access from an address book Arbel says isn't stored in a database.
If a phone number was never used to find friends, only the username was exposed. However, the hack wasn't totally free of an information leak, leaving it to face similar problems applications like Snapchat have had.
Arbel admits that the app "exploded a little too soon." Before the hack, the team was working on "re-writing the infrastructure in a proper and secure way, as suitable for production-grade apps."
Yo rose through the ranks of apps based on it being a simple messaging platform. It doesn't hurt that the company received $1 million in funding from investors associated with Moshe Hogeg, according to Think Progress. Last week, Yo announced that it had seen 3.7 million messages sent in a single day. Venture capitalist Marc Andreessen thinks that a simple messaging platform like Yo has its place in a world of one-bit communication, but it may not be the next $100 billion social media phenomenon.