In the course of the takeover of Twitter by Elon Musk and the fact that staying on the platform was incompatible for some users, several alternatives have become popular, such as Mastodon or Hive from Brazil. After German researchers uncovered serious security gaps, the service is now offline.
Yesterday, the Zerforschung collective warned against using Hive Social on its own blog because a large number of serious security vulnerabilities had been found in the app of the Brazilian microblogging service. “We currently strongly advise against using Hive Social,” was the conclusion.
It was difficult to make contact
Zerforschung had also shared the concerns with Hive, but contacting the company was initially difficult before the first gaps were later closed. A timeline posted on the blog traces the sequence of events, beginning with a failed call to the CEO that research says was “pushed away.” The product warning was finally published by Zerforschung on November 30th.
Access to all data of all users
The collective does not describe in detail which security gaps the app has and justifies this with the protection of the privacy of the users. For the time being, therefore, no technical details on the gaps are to be published. However, it is explained that attackers can access all data of all users, read private posts, private direct messages, shared images and videos and already supposedly deleted direct messages and posts. In addition, access to e-mail addresses, telephone numbers and dates of birth that were provided during registration is possible. Even other people's posts could be changed, as a video on the blog shows.
Hive Social is offline for bug fixes
Hive, on the other hand, decided to take a drastic step after the security gaps were made public and took the service offline for the time being. Over the coming days, several bug fixes are to be incorporated to close all gaps. On Twitter, the company says it was “made aware” of security issues affecting app stability and user security. Immediately following is a user's criticism that this step was only taken after Zerforschung's “Responsible Disclosure” and not immediately after the first contact was made.
The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience pic.twitter.com/wOgW7ga9xN
— Hive (@TheHIVE_Social) December 1, 2022
Hive explains this by saying that all bug fixes should be done at once and not incrementally. Taking the server offline was the best option.