The ill conceived social media application called Yo was digitally disemboweled this past week. This is an app that allows a user to send the word “Yo” to their contacts. Um, yeah. The security issues came to light in rather vivid detail when students from Georgia Tech were able to access the Yo user database.
From Yo via Medium:
The issue that followed was that our database had an open access from the app itself, a fact that allowed any malicious party to read the user information.
Once we learned about this issue we’ve assembled a team of engineers with the hosting company, and began solving it. Once the issue was resolved (yesterday noon), we contacted the hackers and verified verified that the problems had been fixed. One of them is actually now working with us on improving Yo experience in other aspects as well.
I’m torn on this one for a couple of reasons. On the one hand I’m amazed that at no point did the shop that developed this app seem to take security into account. They recently received $1 million in funding which drew attention of some students at Georgia Tech. The students were able to spoof and spam users. Not to mention, they could access phone numbers associated with users. The company responded by downplaying the severity of the information that was being accessed.
Now while I’m amazed with the aforementioned, I have to give Yo credit for finding the tip of the sword, placing it against their chest and leaning forward. Company founder Or Able was descriptive in his blog post as to what had transpired. But, saying things like “We were lucky enough to get hacked at an early stage and the issue has been fixed.” is nonsense. You’re not ‘lucky' for demonstrating incompetence with your application. Yo failed to take into account basic security.
Gene Spafford delivered a keynote today at the FIRST conference in Boston wherein he highlighted this very issue. Application and system design is devolving to a point where security is no longer an afterthought. It isn’t even part of the equation for some development shops. Yo learned a valuable lesson.
But, I have to admit…$1 million in funding for app that says ‘Yo’? I’m in the wrong business.
(Image used under CC from Brandon Grasley)