Software & Apps

World’s stupidest app apologises after hack that exposed phone numbers, and hires hacker

Posted on June 24th, 2014 by

Yo, the stupidly hyped-up and pointless smartphone app that lets you send the word "Yo" to your contacts (and nothing else), was hacked briefly last week by some college students.

Surprised? I'm not.

After all, the app's makers brag that it only took eight hours to create. If that's really the case, was there any consideration about security at all?

If there was any thought about security and privacy, it clearly wasn't enough. Because, as TechCrunch reported, the app was hacked by three students from Georgia Tech soon after its creators claimed they had received over $1 million in funding.

Yo hack

wow. many 1337. such bad security.

I hacked Yo. Use hashtag #YoBeenHacked to talk about it.

I guess we should be grateful that the message the hackers pushed to users' phones was asinine, rather than something crafted with more malicious intent. And it's a blessing that the only information Yo carried about its users was their phone numbers, seeing as the hackers were able to access that too.

But in the rush to experience the latest hyped-up app - an app which wasn't properly thought through or secured - many smartphone users put themselves at unnecessary risk, and granted Yo access to phone numbers.

As more and more people were drawn to Yo, others began to question how secure its infrastructure was. Some went beyond sending daft messages and found ways to impersonate others.

Yo clearly wasn't built with security in mind, yet hundreds of thousands of people were quite happy to try it out.

YoEven though iPhone and iPad users experience nothing like the security problems seen on the Android platform, that doesn't mean that there aren't properly written apps making it into the iOS App Store that could have security weaknesses or be backed by companies who have a cavalier attitude to your privacy.

So, what now for Yo?

Well, its founder Or Abel has published a blog post saying Yo was "lucky enough to get hacked at an early stage and the issue has been fixed."

In that blog post, Abel takes almost 500 words explaining how the hack worked, and that he has hired one of the hackers to work on "other aspects of the Yo experience" before he gets around to apologising to affected users.

Yo is a simple app - your privacy isn’t. We take your privacy very seriously, we apologize from the bottom of our hearts...

Abel is wrong. Privacy can be very simple.

Here's a simple way to avoid all privacy and security problems with Yo: Don't install the app. It's not just stupid, it's proven itself to be insecure. Just say no to Yo.

PS. By the way, regardless of security - there's another bee in my bonnet about Yo. Its lack of originality.

After all, isn't Yo just a modern-day equivalent to Facebook's Poke feature?

What do you think of Yo? Am I being too harsh? Leave a comment expressing your point of view below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Coyote

    No, you’re being WAY TOO NICE. I thought the name was and is completely
    stupid and indeed it does lack originality. In fact I think that so much
    that when I first (the other day) read about this incident I thought it
    had to be some silly teenager who thought he was clever and wanted to
    show the world how important he/she/it is (and their supposed
    programming abilities)… not. It is worse than Facebooks poke (I’ll
    refrain from cursing too much here though!).

    As for the issue
    being fixed. Just like some other recent security breaches I’m going to
    call nonsense there. Even if they did fix THAT EXACT issue the very fact
    is there’s bound (I don’t know if it was out of bound error so it may
    or may not be a pun but I hope it was because I love puns) to be other
    issues. That he hired THEM to fix it (he didn’t fix it, did he?) then he
    is incompetent and has no regard for others (all for fame). And I
    cannot fathom the need for an app to actually need the phone number.
    Surely if the device is so smart (like the youth of today seem to think
    about everything they own) it would have an API capable of retrieving
    that information when needed, rather than store it elsewhere? And if it
    didn’t store it somewhere then it is an even worse creation! And $1m?
    Wow… just wow. Beyond shameful!