69 comments

[ 2.8 ms ] story [ 146 ms ] thread
Is it wise to advertise that you've hacked any app in this social climate?

Theoretically, could the founder of Yo have pressed charges against the student? (This would, of course, be complete suicide for any startup. But companies aren't always rational actors.)

(comment deleted)
Nope, they are white hat. Hacking a product/app/website and not talking about it, not warning the founder is the problem.

In fact, what those guys are doing increases the collective conscious and improves the system to be able to develop better/safer products.

I don't think the US court system agrees, which is what I'm asking about here.

In fact, it seems straightforward to make a case against the student's activities. From the Computer Fraud and Abuse Act:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

...

(C) information from any protected computer;

The phone numbers are probably information from a protected computer.

Young people are pretty often cavalier about jeopardizing their futures. I'm just checking whether there is, in fact, a chance that this young person could have.

I don't get to hack stuff just because I say "white hat."

If it's not yours, don't mess with it.

And leave security holes open for people with less good intent and actually harm users?
There are plenty of companies who will pay you for your services, and under contract so it's completely legal, too.
I recall a case where the courts did not agree with you. I can't remember names or many details, but the gist was that some guy realized that one of the pages was taking an fdat argument that was his userid, and by simply incrementing that number he could retrieve the data of any user he wanted. He presented his findings to the company (something major, like AT&T maybe), and they immediately sued him. He fought in court saying he wasn't malicious and was "white hat" as you say, but I believe he was convicted.

Does anyone remember this case?

Weev. Search HN, there are hundreds of conversations about that case.
Georgia tech alum here. Whoever did this, I may have a job offer for you! Awesome!
(comment deleted)
Quick! Give those students one million dollars in VC funding!

Just think about it. We have more and more flash-in-the-pan shoddily written apps in mobile.

And because they're flash-in-the-pan, for a time, they're popular. And because they're shoddily written, they're easily exploited at the peak of their popularity, so you can amass a ton of personal information from the app users and abuse it any way you want.

Hacking crappy mobile apps may soon become the new "my WordPress blog got hacked". Think of the potential, it can be a whole new industry. Not to mention all the fake diplomas, mortgages, Russian brides and Cialis pills that'll get sold in there.

I have little sympathy for Yo - it's indicative of the cavalier (arrogant?) attitude many seem to have towards security these days. There's this prevalent minimum viable product attitude lately that seems to make app developers think security is something you can think about later.

It isn't. You have an obligation to your users and the personal data they entrust you with. Build it in. Today. And know that you can't write secure code as part of an agile process. Security means sitting down and working out a threat model before you jump into code, user needs and backlogs. In other words, choose design up front, or have a contingency ready because you're going to get hacked.

What's the worst that could happen? I'm not trying to minimise the severity of their fail; I am genuinely curious if they could have pushed something malicious to user phones?
They are asking for users phone numbers: very sensitive data. Apparently that data is not being handled securely.
Respectfully (I mean no offence), your comment is typical of one that trivialises security. Information disclosure is one of only six threats (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege). Threats (individually, or within a threat tree) lead to exploits, which if not mitigated, have consequences. They in turn have an impact.

The impact for Yo is not the degree of sensitivity of the data - that's semantic. The real impact is reputational. Trust is easily obtained, but very difficult to regain once lost.

> Trust is easily obtained, but very difficult to regain once lost.

I don't believe you. People still shop at Target, people still use Heartland payment processing systems, people still use Comodo and Verisign as digital certificate authorities. Stratfor still has customers, people still use Firefox, Internet Explorer and Chrome, and so on.

In this thread you ask people to care about security because of the harm it will bring to their reputation, but really you are the only person who considers the security reputation of a company, service, or product before using it. No-one else does. People in the world consider hackers and security problems to be a bit like tornadoes - what could you have done differently to avoid being hit by one?

And really, the track record for making secure software is very bad. Matasano is the premier application security consulting company in the world. Their blog got hacked. Microsoft is the premier software development company in the world, they invest billions comma billions of dollars in the security of their software, from paying internal red teams to giving grants to leading academics for groundbreaking research. Their software still gets hacked.

So what's your secret to making software secure? Is it more quotes from the CISSP handbook?

There is no secret, and I've not read the CISSP manual. I just design for it before I start writing code. Also, I don't ask anyone to care about anything. Your app, your choice. You mention tornadoes. That's reactive. I'm suggesting being proactive, by asking what can be done before an event, not after.

I know absolute security is elusive. I still try to anticipate what might happen, however. As Covey says, begin with the end in mind.

And finally, as far as Matasano goes. Yes, they have a good reputation. Thomas has a lot of technical depth for sure (certainly more than I). It interests me however, that I've never heard mention of a Needham-Schroeder implementation from them. But I may just have missed it. To be clear, I have no delusions - I imagine Matasano's crew has a lot more brain than I do. That's cool. And yet I find myself wondering why we (and they) all talk about which algorithm is good for crypto function x or y, but never about which protocol you might use to securely exchange keys (for example).

You're wrong. I can think of many apps where security shouldn't be the main focus. Apps where neither the developer nor the users really care if it happens. Yo is one of them.
I didn't say it should be the main focus. Also, your comment demonstrates my point (thanks for that). It's arrogant, and demonstrates a lack of insight. If they don't, Yo should care. As I mention in another comment below, this impacts their reputation. Imagine if the developers of Yo build something that really should be secure one day. First thing I'd think is they don't bother with security, so I won't use that app. Or the developer interviews somewhere else one day -

Interviewer: "So dude, what have you done in your career?"

Yo dev: "I built Yo."

Interviewer: "Yo got hacked. Goodbye."

. . . said no interviewer ever.

And as selfishly awesome as it would be for my career if security holes became career-ending mistakes (hire me so you don't lose your job!), the only people who haven't written software with security holes are those who haven't written software.

I get it. Because absolute security is an impossibility, we just shouldn't bother at all.

See what you and I did there? Extremes, both sides of the argument. I know that no interviewer says that - it was done to illustrate my point.

I think you misunderstand the trouble one can cause through limited information. We can phish, we can gain access to some personal information.

Both of those pots of "gold" are threatening enough attack vectors.

The app uses parse.com API for all communication (and probably for all data storage) and I haven't seen it communicating with anything other than parse, getsentry and flurry services.

Does hacking the app means hacking parse.com?

Maybe the hackers found their API keys in the app binary.
Probably, I took it apart and had a quick look but couldn't find the key. I only had a quick scan of the Application and Activity classes though and did a search for Parse.initialize (where the key is passed in)
(comment deleted)
Ok, I took another look and all the Parse keys are in a very obvious place!
I'm interested in how you can conceal these API keys in Android, there does not seem to be any recommended approach.

Obscure methods like wrapping them up in C native code get mentioned. I'm assuming Proguard does not help?

While i was messing around with another app , what i saw was that parse apps leak their clientkeys but not the application Id. I did look more into it . parse does some sort of hashing to make an iid which is sent with each request . I am pretty sure that the iid is made from the app key and the client key. I did mess around a lot with an app using parse with charles web proxy and a number of decompilation tools i plan to write about it soon. ( as soon as i get something concrete)
The Yo joke keeps on getting funnier. First 1.2 million dollars of funding for an app that allows you to send, "yo" to your friends and now this hack. What the hell was the money spent on? It certainly wasn't security. I'd imagine the developers threw a massive party with kegs and thousands of pizzas with the funding money because lets be honest: Yo is an MVP product that is not refined nor innovative and could be built by a 14 year old with a Udemy course on Objective-C. The fact it supposedly took 8 hours to build and started off as an April Fools Day joke says it all, right?

I like stupid apps and things like this, but the fact this received funding just reminds me of 1999. Apps like this shouldn't take funding, they're short-lived hype apps, they're not the next Twitter or Facebook. Can the bubble just pop already please? Save the VC funding for startup ideas that actually deserve it. This is the pet rock of mobile apps.

At least Mike Judge has a plot he can adopt for season two of Silicon Valley though.

Maybe they haven't spent the 1.2 million dollars? Maybe they and their investors know a little bit more than we do and have something up their sleeves.

What we do know is they sure have recieved a lot of attention they wouldn't have otherwise.

I've read too many times the "they may know more than we do and they may have surprises". Cut the bs pls.
There's so much potential for this app, they could add a keyboard and allow you to send any message you want for instance...
The funding came from the CEO himself, it's just a marketing scheme...
No it didn't. The funding came from multiple investors, not the CEO himself.
www.forbes.com/sites/jaymcgregor/2014/06/19/app-raises-1m-in-funding-for-simply-sending-the-message-yo-back-and-forth/

> it has just raised $1m in seed funding from CEO of Mobli, Moshe Hogeg’s angel fund.

The CEO of Mobli is not the CEO/founder of Yo.

Also:

> The app has received $1 million in angel funding from a group of investors led by Moshe Hogeg

So there are multiple investors, not a single one.

Multiple can mean "2." It could b 99% from the one angel and a $1000 from the CEO's mom, dad, siblings, etc.
Correct, yet totally besides the point. Instead of what "could be", do a search and find that it were more than 2 investors, and that Hogeg lead the round and invested 200k (of the 1.2 million).
Searched around and haven't found anything to indicate that.

Hogeg's angel fund (the only identified investor) may have multiple people in it, but they could all be _his_ friends and family.

First 1.2 million dollars of funding

I wont believe the funding until, it's been confirmed. This not funding, this is PR hype. Able worked for a company and the CEO wanted the Yo app. The same CEO has given him the funding. I've heard many stories of fake funding on Angellist why should this be any different.

First 1.2 million dollars of funding

I wont believe the funding until, it's been confirmed. This not funding, this is PR hype. Able worked for a company and the CEO wanted the Yo app. The same CEO has given him the funding. I've heard many stories of fake funding on Angellist why should this be any different.

Someone doesn't believe in innovation through constraints! I spot a nonbeliever!

....

;)

There is an excess of capital to be invested in start ups. As simple as this app is it shows that the founder had the ability to make something that people reacted to. 90% of apps are DOA. If you release an app that receives this amount of attention it almost does no matter what it is, you'll get funding. It may not be from top tier investors but the money will still work.
> What the hell was the money spent on?

Probably relocating from Israel to a new office in San Franscisco, in addition to hiring new staff, and marketing to keep the buzz going (they even turned the funding itself into a PR campaign, which is very well done).

> I'd imagine the developers threw a massive party with kegs and thousands of pizzas...

I'd imagine this shows either some disconnect or envy, or a little bit of both.

> Apps like this shouldn't take funding, they're short-lived hype apps, they're not the next Twitter or Facebook.

Why not? So they can slave for months on some feature set that needlessly bloats their simple product? Buzz around the funding grew them from 50k users to an estimated 250k users in a span of less than a week. Why sit still and not ride the wave to full-on virality or an early exit? If they manage to eat just 1% of WhatsApp's lunch, the investors would have made a fine investment.

> Yo is an MVP product that is not refined nor innovative and could be built by a 14 year old with a Udemy course on Objective-C

The first version of Facebook was not refined or innovative. There are a lot of talented coders on HackerNews who could built any app currently on the market in a weekend. They either do not bother (because they don't think it is innovative enough) or they do bother, but fail to connect with the market. Yes, this product is a victory of smart marketing and user virality, not a victory of using the technology.

If you can build an MVP application that attracts funding, 250k users and a lot of media attention, then I suggest you go start that Udemy course and do so. I won't complain when you get funding to realize the full potential.

> Save the VC funding for startup ideas that actually deserve it.

No. Save the VC funding for those startups that show promising growth and realistic strategies. Save the VC funding for startups that will bring return on your investment. Save the VC funding for the pet rock startups that managed to sell 15 million $ in profit in their first 6 months.

> There are a lot of talented coders on HackerNews who could built any app currently on the market in a weekend.

I see comments to this effect every now and then on HN (ie. any skilled team could build out Facebook in 30 days)

It's great to shoot for the stars and have faith in yourself, folks, but shockingly lots of people who get paid to program also happen to be REALLY GOOD at what they do.

While I could focus on the benefits of a little bit of humility (and they are many) instead I'll say that there are people who come on to these sites and see ridiculous statements like this and will suddenly start to wonder what's the point of learning to code if they'll only be good once they can build any app in a weekend.

So no, there aren't people who can build any app on the market in a weekend. And that doesn't mean that any of those people are bad at what they do.

I am not saying I am one of those coders. But I know that they are on HackerNews. There is a large chance that the founder and VCs of Yo will see this thread. If you post about a computer language, chances are the authors are reading it.

Yes, there are a lot of coders on here that can code your MVP or a basic mobile app in 48 hours. And I think some of them are still constantly learning new ways to code and getting better.

I made no qualitative statements about these topcoders vs. those coders who can't (or won't) deliver in a weekend.

> ...will suddenly start to wonder what's the point of learning to code if they'll only be good once they can build any app in a weekend.

I think that's more of an issue with self-esteem than it is with the observation that there are hackers on here who can crank out production-ready code in a short amount of time.

HN really seemed to like the posts by Jennifer Dewalt (http://jenniferdewalt.com/). It is not unwelcome to starting coders. You may be interested in Norvig's article: http://norvig.com/21-days.html "Teach Yourself Programming in Ten Years" which aligns much more with my true view on this.

Speed is not everything. Often these weekend hacks lack market demand, lack user experience, can't overcome the chicken-and-egg problem.

I can think of many more ways to frivolously spend money. I think it highlights the lack of high-value or tech-intensive investment opportunities for investors.
For startups this young, it certainly IS NEVER security. -unless security is part of their core or value-add. (ie dropbox would be nowhere if security wasnt #1)

How can security be anywhere on their early timeline? (i agree it should) but the market (10-20yr olds) and investors are not asking for more security. Also, how secure is secure? Very difficult to know when you are secure enough - and what will your product be tomorrow?

My thoughts on a solution: Short term: "AMA request - Head of security for startup XYZ". Which leads to a community security score/rank. EDIT: http://www.reddit.com/r/IAmA/comments/28n64e/ama_request_per...

Long term: ONE COMMON Open Source framework that is way too easy to implement regardless of the languages used. Seriously way too easy NOT to use

Securing your API to an acceptable level and not exposing your users' details really isn't THAT hard. It's just something a lot of app developers have never even picked up a book on.
Great marketing, everyone is talking about the app now. Just heard it on the FM radio.

The title of the article even hints to this be marketing.. "allegedly."

I don't believe much of anything I see on the Internet. I think you shouldn't either!

Exactly. Whether it's true or not, it extends the idiocy for another day or two.
Well if you scroll down to the "Update" portion you'll see it's been confirmed. Alas, that's by the CEO, so I guess theoretically this could all be one big scheme. But they were getting quite a bit of hype before this security issue(s) arose.
And suddenly 'Yo' has a path to monetization ... litigation!
'bringing on a specialist security team' (i.e. better programmers who know what the fuck theyre doing)
Those students have done a better jop than the original app developers and deserve a million dollar more than funding for a 'Yo' app. Please. Let's be serious.
I came here to talk a little about Yo. I was one of the original people to "hack" the app and updated the message to say "Tweet #YoBeenHacked" at about 3AM EST on June 20th. This is the hashtag that has sense been used. Approximately 15 minutes after doing this, I received a call from Or, the founder and CEO of Yo. Or, Chris, and I talked for about an hour and fixed a few issues then. From that point on, the message could not be updated.

The issues with Yo were not entirely Or's fault. As he put it, the app was intended as a "prototype" and had it not blown up so fast, this would not have been an issue. A common claim is "You have 1 million dollars, hire someone to fix this!" which Or had already done. A meeting with the parse team had already been scheduled long before today and had everyone tried to hack the app today, the attempts would fail. During this meeting Parse's Security team, Or and I fixed the security issues. I would be happy to answer any other questions, post below.

During the conversation Chris and I were both offered freelance jobs. Chris declined, I accepted. I currently am working on a feature for Yo to update your username.

Additionally, securing Parse requires setting an ACL. This is not a huge deal but many apps do not. If you use Parse, please check your ACL.
How was the Yo app hacked to play sounds('rick roll') that weren't originally in the app binary?
Or came to the conclusion those people changed the binary and that they were on jailbroken devices. Those videos were faked so to say.
Gotcha. The binary only has two .mp3 files; yo.mp3 and yoyo.mp3.
I was asked "Is it possible to find the api key's in the binary?"

My answer is yes, it's insanely easy. Don't try to secure your API keys instead try to secure your API.