Yik Yak shown no slack in intern hack attack

Getting hacked seems to be a rite of passage for social media companies. It’s sign that they’ve grown big enough to attract the attention of the hacking community.

Right on schedule, anonymous local chatting app Yik Yak has been hit with a big security breach, a mere two weeks after closing its $62 million round led by Sequoia. An intern from a security firm figured out how to unearth people’s real life identities and take control of their accounts.

I reached out to Yik Yak for comment and a spokesperson said, “Upon being informed of the issue, Yik Yak acted immediately to address and remedy the situation.” The company released an updated app last week that fixes the hole, before SilverSky Labs, a security firm, disclosed the flaw on Monday.

Yik Yak is huge in U.S. colleges, where people within a two mile radius of each other can post anonymous, public messages to a feed.

A young intern at SilverSky Labs decided to test Yik Yak’s system given recent privacy controversies in the anonymous app space (see: Whisper). It didn’t take long to crack the app’s code — just a few days. “This attack is not particularly sophisticated,” Brandon Edwards, VP of SilverSky Labs, told me. “A lot of the tools [we used] are common place in network analysis.”

Intern Sanford Moskowitz figured out that although Yik Yak encrypted the messages sent over its network, it also communicated with third party service providers that didn’t do so. Therein lay the weakness, allowing Moskowitz to find unique Yik Yak user ID numbers (different from the publicly facing username).

Since Yik Yak doesn’t require passwords, anyone with this person’s user ID number could tamper with the Yik Yak app to log into said user’s account, see their content, and post under their identity. They could also use the ID to figure out someone’s real-life identity, by running it through Wireshark and linking it to the person’s smartphone cues. For example, if you’re logged into other social networks that have your name, a hacker could trace that through your Yik Yak ID.

Until recently, Yik Yak had been the bastard child of the Secret-Whisper triangle, largely forgotten by Silicon Valley. But with its star is on the rise, its days of anonymity are over. Its systems are now under scrutiny, from investors, press, and hackers alike.

Facebook filling the gaping hole in its mobile strategy

It looks like Facebook wants to address the big weaknesses in its mobile business model before it has to deal with nagging questions of its investors. According to FT, Facebook plans in March to include sponsored posts in its mobile news feeds.

Facebook just revealed its Kryptonite: mobile

In its IPO filing Facebook mentions the word “mobile” 123 times but didn’t use the term in positive ways. In fact, Facebook’s S-1 filing is one big warning to investors: Its growth is being driven by user behavior that it has so far failed to monetize.