Three Georgia Tech students successfully hacked Yo, an app that has soared up the app charts in the last two weeks after a low profile launch in April, with over 100,000 downloads and $1.2 million in funding secured in a matter of days.
The app allows users to send the word “yo” to each other (that’s it), but the Georgia Tech students who hacked it were able to send much more. In an email to TechCrunch, they said: “We can get any Yo user’s phone number (I actually texted the founder, and he called me back.) We can spoof Yos from any users, and we can spam any user with as many Yos as we want. We could also send any Yo user a push notification with any text we want (though we decided not to do that.)”
Yo’s founder, Or Arbel, has confirmed that his app was hacked and even hired one of the students who discovered the vulnerability. While we commend this developer for taking a step beyond vulnerability bounty programs like Google’s and Facebook’s, the situation provides clear evidence that apps can grow in popularity much faster than their security teams can keep up.
IP owners need to be wary of third-party developers who may be prioritizing app popularity at the expense of app security. Apps using your brand names may be susceptible to similar hacks.