Yo is one of the more interesting apps available for smartphone users. Billed as a zero character communication tool it simply calls out “Yo!” when a friend reaches out. That’s all. No other communication is happening through this app. Of course, there are other uses that the developer highlights. From within the app scenarios are given such as, receive a Yo when your flight is boarding, your favorite team is playing or when your dry cleaning is ready.
However, not too many people saw the immediate need to download an app that simply says, Yo! That is until just recently when news broke about the app being hacked on June 21, 2014.
Who was affected?
Yo had only been around for a short period of time, so it had not built up much of a user base by the time the attack happened. For a while, there was a list of users who had been affected posted on the website http://yo-hack.appspot.com/. However the list of phone numbers and usernames belonging to this group of users, ones who used the Find Friends feature, has since been taken down and replaced with the words, “Yo. Please take security seriously.”
How did this happen?
According to Yo’s founder Or Arbel, the hack can be attributed to the app not being ready for its rapid growth. “Yo started as a weekend project and exploded a little too soon. We were just finishing up re-writing the infrastructure in a proper and secure way, as suitable for production-grade apps, when it suddenly blew up and went viral.”
As Or tells it, three students from Georgia Tech found that the database had open access from the app that allowed attackers to read user information and push notifications to other users.
How were consumers notified?
Users of the Yo app were notified through a blog post on the company’s website where details of the attack and an apology to the users were published. If the Find Friends feature is enabled, no information is gathered from users except a username, and phone number. Because of this, there was no other way for the company to reach out and let people know about the attack.
How were consumers impacted?
The biggest issue was the release of usernames and phone numbers on the website mentioned above. This information was reported by The Guardian as only having been posted a short amount of time before it was removed. The hackers also told TechCrunch in an email that. “We can spoof Yo’s from any users, and we can spam any user with as many Yo. We could also send any Yo user a push notification with any text we want (though we decided not to do that).”
How was the company impacted?
When most companies suffer a data breach, it has a hugely negative effect on them. Users and customers lose trust in them, and business suffers. In Yo’s case, it had the exact opposite effect. After news of their attack broke they rose to number three in the Apple App Store and jumped from 60,000 users to over 1,000,000.
How can they fix it?
Yo’s creator took what some would see as a rather unconventional approach to fix this; he reached out to the people who hacked the app and hired one of them. The thought behind this isn’t so bad as too often people rely on theory and what they read when it comes to proper security. While having a checklist on hand to look for the known vulnerabilities, this shouldn’t replace hands on knowledge. Without getting your hands dirty and having someone actually test the code for vulnerabilities, a program can’t be considered secure and shouldn’t be collecting sensitive information from its users.