Mastodawn

Athanasius Dec 1, 2022

Warning: Do not use Hive Social ⚠️🐝

We found multiple critical security vulnerabilities in the App, leaking private messages, posts, images and user data like phone numbers, emails and birthdates.

https://zerforschung.org/posts/hive-en/

⚠️ Warning: do not use Hive Social 👉🐝👈

Dieser Artikel ist auch auf deutsch erschienen. Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks. Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing. ⚠️ We strongly advise against using Hive in any form in the current state.

zerforschung Nov 30, 2022

People on Twitter wished for an edit button. One of Hive's security vulnerabilities allows even more: You can edit posts of other accounts.

zerforschung Nov 30, 2022

To not endanger the privacy of the people currently using Hive even further, we are only publishing a short product warning. Once the issues are fixed, we will publish a more in depth analysis including technical details.

zerforschung Dec 1, 2022

Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details: https://zerforschung.org/posts/hive-en/#update-1-poof-the-hive-is-gone

⚠️ Warning: do not use Hive Social 👉🐝👈

Dieser Artikel ist auch auf deutsch erschienen. Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks. Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing. ⚠️ We strongly advise against using Hive in any form in the current state.

Daniel Bohrer Dec 1, 2022

@zerforschung > We had a longer call with their developer

wait, there is only one?! 😮

Chris Brown Dec 1, 2022

@zerforschung I’m not sure why anybody would give an app their real birthdate anyway.

Albatroz Jeremias Dec 2, 2022

@zerforschung its back?
https://techcrunch.com/2022/12/01/twitter-alternative-hive-shuts-down-its-app-to-fix-critical-security-issues/ or is only the webpage?

TechCrunch is part of the Yahoo family of brands

@zerforschung Oh wow. 😂

CoreyRDean Dec 1, 2022

@zerforschung doing the lords work 🙌

Katzentratschen Dec 1, 2022

@zerforschung Four hours later.

Momo Dec 1, 2022

@katzentratschen
Oh Mann, really?! 🤣
Chooo Chooo, here comes the fail train...

Katzentratschen Dec 1, 2022

@momo @zerforschung Take a look at their replies. And bring some popcorn.

Momo Dec 1, 2022

@katzentratschen
Oh my god! Time to open the strategic popcorn reserves!! 🥰

Nils 'Kojote' Hitze Dec 4, 2022

@momo @katzentratschen @zerforschung I'll prefer Nacho but I do not see them coming back up anytime soon

Katzentratschen Dec 14, 2022

@kojote @momo @zerforschung Their app has been removed from Apple's app store.

Nils 'Kojote' Hitze Dec 14, 2022

@katzentratschen woops

Timothy Adams Dec 1, 2022

@zerforschung sounds like a good idea!

Jayson Massey Dec 1, 2022

@zerforschung I just went on the site. Not only are there no posts appearing, I created a post AND THE POST DISAPPEARED!!!!! Massive fail. Delete the app ASAP.

grillchen Nov 30, 2022

@zerforschung we need this feature on pleroma.

(((Pro-choice Morgana)))Nov 30, 2022

@zerforschung yikes!

Toad King Nov 30, 2022

@zerforschung it's a feature 🌌🧠

mray Dec 1, 2022

@zerforschung outch?!

@zerforschung eyyyyyyy it's Old Tumblr xD

[MOVED to chitter.xyz] Okesska Dec 1, 2022

@zerforschung c*** is one of my favorite tastes

Laurie Dec 1, 2022

@zerforschung holy cow, that’s handy 😮
Thanks for saving me/us some time..

Richard Dec 1, 2022

@zerforschung Perfect! Elon and Stephen King could collaborate on a single...tweet or whatever they are over there. Cool.

Jozef Dec 1, 2022

@zerforschung Wow. That bug where you can edit other peoples posts is quite scary really. Thanks for the heads up.

Planch Des Belles Filles Dec 1, 2022

@zerforschung best Feature. I know better what other people should write 🤪

@zerforschung some insane vulnerability
also getting john green tumblr vibes lol

lgtm Dec 1, 2022

@zerforschung @fasterthanlime this is a sorely needed feature on birdsite

@zerforschung @fasterthanlime they just want to bring old tumblr back!

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛Dec 1, 2022

@zerforschung The most powerful edit button of any network!

⌛️🧮 Bruce Carnwell (🐣 & 🌴)Dec 1, 2022

@zerforschung That is definitely a interesting feature 😎🥂

Jürgen Trinkaus

@zerforschung Nice one 🫣🤦🏻

Moffin'tosh Dec 1, 2022

@zerforschung LOOOOOOOOOOOOL

アイアンハンドガンダム Dec 1, 2022

@zerforschung Elon: editing other users messages is absolut free speech

Cher Tailor Dec 1, 2022

@zerforschung To quote a review of New World's un-sanitized inputs:

"The PVP in this is insane"

Will is too honest to be an MP Dec 1, 2022

@zerforschung Seen this, @BleepingComputer?

National Security Agency

@zerforschung we super duper promise to not abuse this if you tell us how it's done

leap123 Dec 1, 2022

@zerforschung :troll:

Sandy Dec 1, 2022

@zerforschung i gotta try this out??? 😂

kirby Dec 1, 2022

@zerforschung wow! They should add this to the fedi

localhost TCP/UDP Dec 1, 2022

@zerforschung
cc @kaede

Go Forth In Love Dec 2, 2022

@zerforschung Hive is in prebeta.

Kevin Severud 🚵🏼‍♂️Dec 20, 2022

@zerforschung @rakenodiax 😱

michael Nov 30, 2022

@zerforschung oh wow 😳

Elias Klarname Nov 30, 2022

@zerforschung Weia, that sounds devastating…

chaos 🏳️‍🌈Nov 30, 2022

@zerforschung holy hell in a handbasket 👀 glad I haven’t made an account there

@zerforschung look at all the people who aren't the slightest bit surprised by this 😁

Bloodywing Nov 30, 2022

@zerforschung Why I am not surprised?

Rory Nov 30, 2022

@zerforschung Never heard of Hive social until now. At the same time, I will not use it...

Rory Nov 30, 2022

@zerforschung Thanks for the warning.

Johann | DiEM & MERA25 Nov 30, 2022

@zerforschung Pretty sure you'll also find something when you take a closer look at post.news. That seems to be the main one hyped up by mainstream journalists and some other blue checks. Their founder should know better, from past work experience, but I'm sure they cut some corners, too.

RDS (shawphd on Twitter)Dec 1, 2022

@JMCQ87 @zerforschung Accessibility seems to be one of those corners. 😕

level 5 troon hazard Nov 30, 2022

@zerforschung but mastodon DMs arent encrypted, its insecure! /s

Unsunny Nov 30, 2022

@zerforschung Woah yikes. I had heard about it, already wasn’t too keen on using it thanks to its apparent lack of moderation, but this is also bad. Guess I’ll be sticking entirely with Mastodon for now!

@zerforschung I Am Not Surprised At All
What an absolute disaster of an app. I knew something bad was going to happen, but not that bad.

@zerforschung I may be wrong, but the name sounds familiar. Sure, I could google it. - But I believe this is not the first time Hive has been caught with plain text leaks.

vainandblindman Dec 1, 2022

@zerforschung What did you expect for an app run by two people?

Nancy Ellen Maitri Peden:toad:Dec 1, 2022

@zerforschung thanks. Good to know.