from Hacker News

Yo App Allegedly Hacked By College Students

by intull on 6/20/14, 9:11 AM with 65 comments

  • by DigitalSea on 6/20/14, 10:56 AM

    The Yo joke keeps on getting funnier. First 1.2 million dollars of funding for an app that allows you to send, "yo" to your friends and now this hack. What the hell was the money spent on? It certainly wasn't security. I'd imagine the developers threw a massive party with kegs and thousands of pizzas with the funding money because lets be honest: Yo is an MVP product that is not refined nor innovative and could be built by a 14 year old with a Udemy course on Objective-C. The fact it supposedly took 8 hours to build and started off as an April Fools Day joke says it all, right?

    I like stupid apps and things like this, but the fact this received funding just reminds me of 1999. Apps like this shouldn't take funding, they're short-lived hype apps, they're not the next Twitter or Facebook. Can the bubble just pop already please? Save the VC funding for startup ideas that actually deserve it. This is the pet rock of mobile apps.

    At least Mike Judge has a plot he can adopt for season two of Silicon Valley though.

  • by Spearchucker on 6/20/14, 10:15 AM

    I have little sympathy for Yo - it's indicative of the cavalier (arrogant?) attitude many seem to have towards security these days. There's this prevalent minimum viable product attitude lately that seems to make app developers think security is something you can think about later.

    It isn't. You have an obligation to your users and the personal data they entrust you with. Build it in. Today. And know that you can't write secure code as part of an agile process. Security means sitting down and working out a threat model before you jump into code, user needs and backlogs. In other words, choose design up front, or have a contingency ready because you're going to get hacked.

  • by paul9290 on 6/20/14, 11:54 AM

    Great marketing, everyone is talking about the app now. Just heard it on the FM radio.

    The title of the article even hints to this be marketing.. "allegedly."

    I don't believe much of anything I see on the Internet. I think you shouldn't either!

  • by sillysaurus3 on 6/20/14, 10:00 AM

    Is it wise to advertise that you've hacked any app in this social climate?

    Theoretically, could the founder of Yo have pressed charges against the student? (This would, of course, be complete suicide for any startup. But companies aren't always rational actors.)

  • by isaiahturner on 6/21/14, 1:32 AM

    I came here to talk a little about Yo. I was one of the original people to "hack" the app and updated the message to say "Tweet #YoBeenHacked" at about 3AM EST on June 20th. This is the hashtag that has sense been used. Approximately 15 minutes after doing this, I received a call from Or, the founder and CEO of Yo. Or, Chris, and I talked for about an hour and fixed a few issues then. From that point on, the message could not be updated.

    The issues with Yo were not entirely Or's fault. As he put it, the app was intended as a "prototype" and had it not blown up so fast, this would not have been an issue. A common claim is "You have 1 million dollars, hire someone to fix this!" which Or had already done. A meeting with the parse team had already been scheduled long before today and had everyone tried to hack the app today, the attempts would fail. During this meeting Parse's Security team, Or and I fixed the security issues. I would be happy to answer any other questions, post below.

    During the conversation Chris and I were both offered freelance jobs. Chris declined, I accepted. I currently am working on a feature for Yo to update your username.

  • by jyz on 6/20/14, 10:05 AM

    Georgia tech alum here. Whoever did this, I may have a job offer for you! Awesome!

  • by uptown on 6/20/14, 12:09 PM

    And suddenly 'Yo' has a path to monetization ... litigation!

  • by irfan on 6/20/14, 10:48 AM

    The app uses parse.com API for all communication (and probably for all data storage) and I haven't seen it communicating with anything other than parse, getsentry and flurry services.

    Does hacking the app means hacking parse.com?

  • by ulfw on 6/20/14, 5:47 PM

    Those students have done a better jop than the original app developers and deserve a million dollar more than funding for a 'Yo' app. Please. Let's be serious.

  • by jacquesm on 6/20/14, 10:02 AM

    App now sends 'Ya!'.

  • by jwheeler79 on 6/20/14, 3:33 PM

    'bringing on a specialist security team' (i.e. better programmers who know what the fuck theyre doing)

  • by mantraxC on 6/20/14, 10:07 AM

    Quick! Give those students one million dollars in VC funding!

    Just think about it. We have more and more flash-in-the-pan shoddily written apps in mobile.

    And because they're flash-in-the-pan, for a time, they're popular. And because they're shoddily written, they're easily exploited at the peak of their popularity, so you can amass a ton of personal information from the app users and abuse it any way you want.

    Hacking crappy mobile apps may soon become the new "my WordPress blog got hacked". Think of the potential, it can be a whole new industry. Not to mention all the fake diplomas, mortgages, Russian brides and Cialis pills that'll get sold in there.