At least 50,000 “Yo” users at risk of having phone numbers exposed
Messaging app “Yo” has been under a lot of stress lately, as it has been the object of various curious users that tried to make it do something else than just send a Yo message to a contact.The app, available on both iOS and Android, simply sends a “yo” message, which you don’t even have to type, to a contact in the user’s list; there is no support for video, images, or texts larger than two characters.
TechCrunch was tipped off through an email from a Georgia Tech student, who claims to have broken Yo’s security and gained access to the phone number of any Yo user as well as spam the app users with Yo messages.
Moreover, the student can allegedly send push notifications with a text of his choice. But the cherry on top is that he said he managed to text the founder of the application, who returned a phone call to him.
Yo may seem like a silly mobile application, but it has garnered at least 50,000 users whose phone numbers can land in the hands of cybercriminals, if they find their way into the application.
According to Financial Times, users of the mobile app have yoed a total of four million times, half of that happening in the last month.
Furthermore, the founder raised $1 million (€734,000) from Mr Hogeg’s angel fund to create a solution for low-overhead notifications from any source that presents an interest to the user.
Multiple evidence of “Yo” being insecure occurred lately, as one user posted a Vine with the default sound of the app being changed. Another published on Instagram an image with a notification message on top of the Yo contact list.
Arbel also said that the company is currently working with a specialist security team in order to solve the security problems. He did not reveal the flaws that have already been eliminated, though.
Installing “Yo” is a simple thing, although it is a bit more complicated a procedure than actually using the app. As far as permissions are concerned, it uses one or more accounts on the device and the associated profile data.
Some users have already started to remove Yo from their devices as a precaution: