Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details

Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks.

Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing.

Once again a report about TikTok is going around. We have read it carefully: It’s mostly nonsense. Let’s have a look at the claims one after the other

A shocking new report today outlines just how far TikTok goes to harvest personal data from its users, data that some fear could be used by China for intelligence and cyber hacking. #TheProjectTV pic.twitter.com/cHkR1bwTdK

— The Project (@theprojecttv) July 18, 2022

Now let’s move on to sports: the whole world is talking about the test certificates of a tennis player right now.

Novak Đoković is a serbian tennis player who recently entered Australia – without vaccination, but with two PCR test certificates. A positive test result from December 16th and a negative test result from December 22nd. He is therefore considered to be recovered.

With this he got a special permit to enter the country unvaccinated – but this permit was then considered insufficient when he entered the country. In the meantime, however, a court has allowed him to enter australia.

In cooperation with SPIEGEL, we took a look at the court documents and tried to understand the technical details. 🕵️

During the pandemic, grocery delivery services gained popularity. New players on the market offer delivery in under an hour. One of them is Gorillas, which not only delivers apples and granola bars in 10 minutes, but just as quickly delivered the data of all its customers.

How could this happen? Unfortunately, it was once again much too simple. But let’s start at the beginning:

What happened so far …

In our first thread on Clubhouse (in german) we had only taken a superficial look at Clubhouse.

We saw that Clubhouse uses an external service provider called Agora.io for the voice call functionality. Agora.io is also used by many other apps, including a therapy app. In the thread we found that, among other things, we can easily listen to a room without being displayed to the other room participants if we communicate directly with Agora.

Conversely, you can also be displayed in a room without listening. However, this is not really a problem - after all, even outside Clubhouse you are often present in conversations without really listening.

… and what happened next …

Dieser Artikel ist auch auf Deutsch erschienen.

tl;dr: Every time you open the invite tab, clubhouse uploads all the phone numbers from your address book.

Clubhouse is currently invite-only, which is probably part of the current hype. To invite someone you have to give Clubhouse access to your address book. This has been criticized several times. There has been a lot of discussion about how Clubhouse uses this address book data. We took a look and document how clubhouse currently uses the data from your address book and how it could be done better.