β οΈ Warning: do not use Hive Social πππ
Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details
Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks.
Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing.
The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.
Attackers can also overwrite data such as posts owned by other users, which we show in the following video:
To not endanger the privacy of the people currently using Hive even further, we will not be publishing a more in depth analysis at the current time.
If you need an alternative to twitter, try mastodon. You can follow us on there, too.
We’ll update this post with more details once Hive finally fixed their issues.
Update 1: Poof, the hive is gone
After our article was published, Hive decided to deactivate their servers. This means the vulnerabilities can no longer be exploited.
We had a longer call with their developer. He is working on fixing the issues. We will update this post with the promised longer technical writeup at a later time.
We also reworded a paragraph that said "they claimed to have fixed all issues" due to a miscommunication between Hive's CEO and us.
- After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported **still exist** at the time of writing.
+ After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and **still existed** at the time of writing.
Timeline
- 2022-11-23 - we began with having a look at Hive Social
- 2022-11-26 14:36 GMT+1 - Finished writing report, sent emails with a request for confirmation
- 2022-11-27 01:25 GMT+1 - First try to reach the CEO by telephone, got call rejected
- 2022-11-27 02:21 GMT+1 - Notified other Hive Admins about an urgent email in their support inbox
- 2022-11-27 02:41 GMT+1 - Second try to reach the CEO by telephone. She didn’t find the report in the support emails, sent again
- 2022-11-28 02:48 GMT+1 - Sent email with question about a timeline for fixing the vulnerabilities
- 2022-11-28 18:13 GMT+1 - Sent another email to the Hive support address. Also sent an iMessage to the CEO
- 2022-11-28 19:38 GMT+1 - Got the first written acknowledgement by iMessage
- 2022-11-28 22:15 GMT+1 - Vulnerabilities still open, sent iMessage asking for a timeline again
- 2022-11-30 16:30 GMT+1 - Our routine tests indicate that the first vulnerability may be closed
- 2022-11-30 21:00 GMT+1 - Released this Post
- 2022-12-01 02:32 GMT+1 - Hive deactivated their servers
- 2022-12-01 20:45 GMT+1 - Released Update 1