Yo, the mobile messaging app that quickly rose to popularity this week with a bewilderingly simple premise—the only message it can send is ”yo”—has a lot more than that lurking beneath its surface.
At least until several hours ago, Yo exposed all of its users’ phone numbers to anyone with the wherewithal to request them. Several developers demonstrated the issue, which takes advantage of flaws in the way Yo talks to its database.
And that’s not all. Another developer was able to inject a message into the app that appeared to many users:
Yo founder Or Arbel wrote in an email to Quartz that the app is ”having security issues” and said some problems had been fixed but didn’t specify which. It’s not clear if Yo is still exposing user phone numbers or if deleting the app would protect your account, though that is the prudent step to take.
“We brought in a specialist security team to deal with the issues, and we are taking this very seriously,” Arbel wrote.
Yo is currently the most popular social networking app and fifth most popular free app in Apple’s US App Store, with more than 300,000 users. As Yo became an overnight sensation, people both marveled at and derided its limited functionality.
The app—and the million dollars in venture funding that it has already attracted—might seem like merely a high-concept joke about America’s overheated technology industry, if it weren’t also genuinely addictive. Venture capitalist Marc Andreessen said earnestly that Yo is part of a trend toward “one-bit communication.”
But the security holes could threaten Yo as it starts to take off. Arbel said he developed the first version of Yo in only eight hours. Like a lot of mobile app developers, he relied on Parse, a service that handles the routine plumbing that all apps rely on. But Arbel’s code left several holes that could expose users’ data.
On the other hand, people tend to shrug at these kinds of security concerns. Some of the same developers who exposed the flaws in Yo previously found even more serious problems with Tinder, but that dating app is now more popular than ever. And Snapchat, the photo-messaging sensation, seems barely the worse for wear after 4.6 million of its users’ names and phone numbers were leaked online earlier this year.
Of all Yo’s security issues, the most amusing is certainly this: At least one developer was able to make the app send a message other than “yo.”