Categories: Tech NewsTechCrunch+

Twitter alternative Hive shuts down its app to fix critical security issues

The team at the newly popular Twitter alternative Hive is in over their head. The company has now taken the fairly radical step of fully shutting down its servers for a couple of days in response to concerns raised by security researchers who discovered a number of critical vulnerabilities on Hive, several of which they say remain unfixed. The issues they found would allow attackers access to all data, including private posts and messages, shared media and even deleted direct messages, as well as the ability to edit other people’s Hive posts.

The researchers, a part of a German collective called Zerforschung, claimed they confidentially reported the security vulnerabilities to Hive’s team, noting it was initially difficult to reach a point of contact at the company. Several days later, Hive replied, claiming the issues to be fixed, a Zerforschung blog post explains. However, the researchers found this was not the case so they took their concerns to the public, warning people against using Hive’s app.

Shortly after, Hive announced it was temporarily shutting down its servers to address these problems. It also claimed, across several tweets, that they never told the researchers the issues were “fixed” but that they were “fixing” them, eventually deciding to go offline until problems were addressed.

Hi everyone!
The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience pic.twitter.com/wOgW7ga9xN

— Hive (@TheHIVE_Social) December 1, 2022

We wanted to push out fixes altogether instead of incrementally. Shutting down the server was the best option to do that.

— Hive (@TheHIVE_Social) December 1, 2022

It’s an unusual way to patch bugs, to say the least, and one that raises questions about the development workflow at the company. Is there not a dev environment where code is fixed, then staged for a release? How bad was the code that it requires a full stop of company operations to rework it?

These aren’t the first concerns that have been raised about Hive in the weeks following its rapid growth, which has been fueled by Elon Musk’s acquisition of Twitter. Today, a number of Twitter users are unhappy with the direction Musk is taking the social network and have been seeking out alternatives. This has led to sizable boosts to the user bases of other social apps, including Mastodon, CoHost, Tumblr, CounterSocial, Post News, Koo, and Hive, among others.

But it’s also led to increased scrutiny for Hive, a smaller app that until recently was a two-person team. The company has not always been fully transparent about its inner workings, corporate structure, moderation capabilities, or sources of funding. This tends to leave Hive users looking for information on their own, then raising questions about what they dig up.

For example, one of the issues that popped up in the past couple of weeks involved the resurfacing of an older, problematic tweet posted by a former employee, Gil Malfabon, who created Hive’s design system. Hive publicly confirmed Malfabon was no longer with the company, and he privately confirmed the same to TechCrunch. While the designer currently appears listed on tax filings (PDF) as an officer, he says next year’s filing should be accurate.

Hive also recently told TechCrunch it now has two other employees in addition to the 24-year-old founder and self-taught coder Kassandra Pop (who goes by other online usernames like Raluca and Salem.). But Pop wouldn’t disclose the full names of her team members when asked, referring to them only as Joshua and Pablo. She said they didn’t want the attention. The company has also grown to some 2 million users, according to a Business Insider report published on Nov. 22, but hasn’t explained how it’s being funded. (Recent tweets hint that funding conversations are in the works, however.)

Lots of things happening in the background, so short answer- yes.

— Hive (@TheHIVE_Social) December 1, 2022

In terms of the product, Hive has also faced several issues. When the company’s server reached capacity under the influx of new users in late November, Hive allowed duplicate usernames to be created. It said that there could be other duplicate usernames from when Hive first launched, as well. The company claims the issue is now fixed, but it’s an obvious security concern as duplicates could allow for impersonation. In addition Hive frequently replies to Twitter users’ requests for usernames to “free up” their preferred handles for them, as it did recently for YouTuber iJustine — a sort of ad hoc system to address its lack of verification procedures.

Worse, the company has grown a network to millions of users without moderators, security teams, or staff focused on GDPR or other regulatory compliance. This could be chalked up to naivete, perhaps, about what it means to run a social network in 2022, but it’s also reckless and negligent.  But Hive may get away with it, if the funding arrives.

Pop told Insider she planned to use future funds to hire moderators to filter out gore, violence and child exploitation content, to give you an idea of the urgency. Hive has been asked for comment but did not immediately reply.

Twitter alternative Hive shuts down its app to fix critical security issues by Sarah Perez originally published on TechCrunch

Recent Posts

Unlocking the Secrets of JSON.stringify(): More Than Meets the Eye

JSON (JavaScript Object Notation) is a lightweight data-interchange format widely used in web development. At…

3 months ago

How to Handle AJAX GET/POST Requests in WordPress

AJAX (Asynchronous JavaScript and XML) is a powerful technique used in modern web development that…

4 months ago

Page Speed Optimization: Post-Optimization Dos and Don’ts

Introduction After successfully optimizing your website for speed, it's essential to maintain and build upon…

4 months ago

Ultimate Guide to Securing WordPress Folders: Protect Your Site from Unauthorized Access

Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential…

5 months ago

HTML CSS PHP File Upload With Circle Progress Bar

Creating a file upload feature with a circular progress bar involves multiple steps. You'll need…

6 months ago

Using WP Rocket with AWS CloudFront CDN

Integrating WP Rocket with AWS CloudFront CDN helps to optimize and deliver your website content…

6 months ago