Much-hyped one-word messaging app Yo appears to have been compromised just over a month after its launch.
Or Arbel, the Israeli creator of the application, told Mashable at the end of last week that “a few guys tried to hack” it and that they "did succeed to some extent".
However, he added that the people responsible for the hack “actually helped me to close the issue”.
TechCrunch reported earlier that a group of Georgia Tech University students emailed the site claiming responsibility for the attack.
The hack enabled the trio to steal Yo user phone numbers, spoof Yo messages to come from any user, and spam Yo users with as many ‘Yos’ as they like.
“We could also send any Yo user a push notification with any text we want (though we decided not to do that.),” the email continued.
Elsewhere, a Vine video from user Hako which seems to show Yo being hacked to play Rick Astley’s “Never Gonna Give You Up” instead of the regular “Yo” sound.
A third unconfirmed attack was referenced in an Instagram shot of an iPhone running Yo.
Developer Arbel launched the app, which only allows users to send each other the one-word message “Yo”, back in April.
However, it really hit the headlines a few days back when the Financial Times claimed Arbel had managed to secure $1 million in funding for the project.
Reports suggest he built the first iteration of the app in just eight hours which, if true, would hint that not enough time had been spent on testing for vulnerabilities and fine-tuning the code.
Amichai Shulman, CTO of Imperva, argued that any app pushed out in such a short time “is bound to suffer from multiple flaws”, some of which will probably be security related.
“The problem is not with the app – the problem is with the service and the interface it supposedly exposes to the app. Sometimes people who target mobile market (and their audience) forget that what eventually makes the app tick is a web application,” he told Infosecurity.
“That web application is accessible to anyone from any type of device and is exposed to the same risks as any web application – such as SQL injection, unsafe object references, authorization bypass and more. Quite often we see programmers repeating the same mistakes that are already fixed in ‘standard web applications’ when they come to build applications that service mobile devices.”
TK Keanini, CTO at Lancope, agreed that developers have the first opportunity to make sure systems are resilient to internet threats.
"With internet connected applications, you must assume that the most telented adversaries have your application and are working to find flaws," he told Infosecurity. "Once you take this position, even if a vulnerability is found your readiness to contain and respond rapidly and appropriately will be superior."