World’s stupidest app apologises after hack that exposed phone numbers, and hires hacker

Posted on June 24th, 2014 by Graham Cluley

Yo, the stupidly hyped-up and pointless smartphone app that lets you send the word “Yo” to your contacts (and nothing else), was hacked briefly last week by some college students.

Surprised? I’m not.

After all, the app’s makers brag that it only took eight hours to create. If that’s really the case, was there any consideration about security at all?

If there was any thought about security and privacy, it clearly wasn’t enough. Because, as TechCrunch reported, the app was hacked by three students from Georgia Tech soon after its creators claimed they had received over $1 million in funding.

wow. many 1337. such bad security.

I hacked Yo. Use hashtag #YoBeenHacked to talk about it.

I guess we should be grateful that the message the hackers pushed to users’ phones was asinine, rather than something crafted with more malicious intent. And it’s a blessing that the only information Yo carried about its users was their phone numbers, seeing as the hackers were able to access that too.

But in the rush to experience the latest hyped-up app – an app which wasn’t properly thought through or secured – many smartphone users put themselves at unnecessary risk, and granted Yo access to phone numbers.

As more and more people were drawn to Yo, others began to question how secure its infrastructure was. Some went beyond sending daft messages and found ways to impersonate others.

Yo clearly wasn’t built with security in mind, yet hundreds of thousands of people were quite happy to try it out.

Even though iPhone and iPad users experience nothing like the security problems seen on the Android platform, that doesn’t mean that there aren’t properly written apps making it into the iOS App Store that could have security weaknesses or be backed by companies who have a cavalier attitude to your privacy.

So, what now for Yo?

Well, its founder Or Abel has published a blog post saying Yo was “lucky enough to get hacked at an early stage and the issue has been fixed.”

In that blog post, Abel takes almost 500 words explaining how the hack worked, and that he has hired one of the hackers to work on “other aspects of the Yo experience” before he gets around to apologising to affected users.

Yo is a simple app – your privacy isn’t. We take your privacy very seriously, we apologize from the bottom of our hearts…

Abel is wrong. Privacy can be very simple.

Here’s a simple way to avoid all privacy and security problems with Yo: Don’t install the app. It’s not just stupid, it’s proven itself to be insecure. Just say no to Yo.

PS. By the way, regardless of security – there’s another bee in my bonnet about Yo. Its lack of originality.

After all, isn’t Yo just a modern-day equivalent to Facebook’s Poke feature?

What do you think of Yo? Am I being too harsh? Leave a comment expressing your point of view below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →

Share

Share this:

About Graham Cluley