The super-simple messaging app Yo is on fire right now: It’s No.4 in the App Store at the time of writing. We told you earlier that someone already hacked it, and the company has admitted there is a vulnerability that allows hackers to get other people’s phone numbers via the app.
This afternoon, David Byttow, the CEO of the anonymous gossip-sharing app Secret, told us how he managed to hack Yo in just three minutes in a way that reveals anyone’s phone number.
We won’t reveal the specific step-by-step information you’d need to hack Yo, for obvious reasons. But the principle behind Yo’s vulnerability is easy: Any hacker can use a “man in the middle” (MITM) proxy to investigate traffic to and from an app. Basically, you use someone else’s credentials, for instance a username belonging to someone else on Yo, and then send a data request to Yo. When a reply comes back, your MITM proxy can “read” what’s inside the conversation, from both ends — and that includes your phone number, in Yo’s case.
As evidence, Byttow showed us the results of a request he sent under a Yo username that belonged to someone else. The response to his MITM request revealed the user’s California-based phone number.
Byttow is interested in Yo security because his own company, which is hugely popular with tech workers in northern California, has been subjected to the same scrutiny. Secret, however, is designed in such a way that MITM attacks don’t reveal anyone else’s data.
We asked Byttow how common it is for apps to have this type of vulnerability. He told us, “I mean, it’s extremely careless…. I don’t know how common it is. Usually when an app gets popular people poke and prod at it.”
Yo says they’re working to fix it.
The hackers, meanwhile, say they can manipulate Yo any way they want. They told Techcrunch:
The student emailed TechCrunch detailing what he alleges are the results of the hack: “We can get any Yo user’s phone number (I actually texted the founder, and he called me back.) We can spoof Yos from any users, and we can spam any user with as many Yos as we want. We could also send any Yo user a push notification with any text we want (though we decided not to do that.)”
The result of their efforts:
For the most part, it seems like hacking Yo only results is in your phone number being exposed. That’s not really the end of the world. Snapchat was hacked and exposed people’s phone numbers recently.
However, this could be the tip of the iceberg. If you’re just generally worried, then you should either dump the app, or not install it in the first place.