Hive Fail Penetration Test and Go Offline
Hive was forced to go offline over safety concerns reported by German penetration testers Zerforschung. Initially Hive hoped to be down for one or two days however a further announcement said that they won’t be able to fix them as fast as they had hoped. It’s not clear when Hive will be back online or if any malicious hackers have exploited the vulnerabilities before they were reported.
Attacker to access all data
On 30 November Zerforschung released a statement saying:
The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login. Attackers can also overwrite data such as posts owned by other users.
This must come as a blow to Hive as they recently hit over 1 million active users in their bid to be a Twitter alternative. Since Elon Musk’s take over of Twitter a proportion of their userbase have left and are looking for a new social platform. The main contenders are Mastodon, Parler and Hive Social but the recent server downtime and security concerns are likely to put a slowdown to Hive’s development.
Forced to go offline
It took Zerforschung three days to discover the vulnerabilities and on 27 November they reported them to Hive. The first attempt to call Hive’s CEO Kassandra Pop got rejected. It wasn’t until after Zerforschung contacted admins that the CEO tried to review the security report but she couldn’t find the report in her emails.
Then, it still took five hours for Hive to respond in acknowledgement of the vulnerabilities. Later that evening it appeared no security measures been taken and Zerforschung pushed for a timeline to fix the issues. On 30 November tests indicated that one of the issues was fixed but some still remained. Later that day, Zerforschung went public with the vulnerabilities and on 1 December Hive deactivated its servers.
Zerforschung will not go into depth about the vulnerabilities to protect the privacy of users at this time.