The team at the newly popular Twitter alternative Hive is in over its head. The company has now taken the fairly radical step of fully shutting down its servers for a couple of days in response to concerns raised by security researchers who discovered a number of critical vulnerabilities on Hive, several of which they say remain unfixed. The issues they found would allow attackers access to all data, including private posts and messages, shared media and even deleted direct messages, as well as the ability to edit other people’s Hive posts.
The researchers, a part of a German collective called Zerforschung, claimed they confidentially reported the security vulnerabilities to Hive’s team, noting it was initially difficult to reach a point of contact at the company. Several days later, Hive replied, claiming the issues to be fixed, a Zerforschung blog post explains. However, the researchers found this was not the case, so they took their concerns to the public, warning people against using Hive’s app.
Shortly after, Hive announced it was temporarily shutting down its servers to address these problems. It also claimed, across several tweets, that they never told the researchers the issues were “fixed” but that they were “fixing” them, eventually deciding to go offline until problems were addressed.
It’s an unusual way to patch bugs, to say the least, and one that raises questions about the development workflow at the company. Is there not a dev environment where code is fixed, then staged for a release? How bad was the code that it requires a full stop of company operations to rework it?
These aren’t the first concerns that have been raised about Hive in the weeks following its rapid growth, which has been fueled by Elon Musk’s acquisition of Twitter. Today, a number of Twitter users are unhappy with the direction Musk is taking the social network and have been seeking alternatives. This has led to sizable boosts to the user bases of other social apps, including Mastodon, CoHost, Tumblr, CounterSocial, Post News, Koo and Hive, among others.
But it’s also led to increased scrutiny for Hive, a smaller app that until recently was a two-person team. The company has not always been fully transparent about its inner workings, corporate structure, moderation capabilities or sources of funding. This tends to leave Hive users looking for information on their own, then raising questions about what they dig up.
For example, one of the issues that popped up in the past couple of weeks involved the resurfacing of an older, problematic tweet posted by a former employee, Gil Malfabon, who created Hive’s design system. Hive publicly confirmed Malfabon was no longer with the company, and he privately confirmed the same to TechCrunch. While the designer currently appears listed on tax filings (PDF) as an officer, he says next year’s filing should be accurate.
Hive also recently told TechCrunch it now has two other employees in addition to the 24-year-old founder and self-taught coder Kassandra Pop (who goes by other online usernames like Raluca and Salem). But Pop wouldn’t disclose the full names of her team members when asked, referring to them only as Joshua and Pablo. She said they didn’t want the attention.
The company has also grown to some 2 million users, according to a Business Insider report published on November 22, but hasn’t explained how it’s being funded. (Recent tweets hint that funding conversations are in the works, however.) App store intelligence firm data.ai reports the app has seen just around 1.7 million installs, however.
In terms of the product, Hive has faced several issues. When the company’s server reached capacity under the influx of new users in late November, Hive allowed duplicate usernames to be created. It said that there could be other duplicate usernames from when Hive first launched, as well. The company claims the issue is now fixed, but it’s an obvious security concern as duplicates could allow for impersonation. In addition, Hive frequently replies to Twitter users’ requests for usernames to “free up” their preferred handles for them, as it did recently for YouTuber iJustine — a sort of ad hoc system to address its lack of verification procedures.
Worse, the company has grown a network to millions of users without moderators, security teams or staff focused on GDPR or other regulatory compliance. This could be chalked up to naivete, perhaps, about what it means to run a social network in 2022, but it’s also reckless and negligent. But Hive may get away with it, if the funding arrives.
Pop told Insider she planned to use future funds to hire moderators to filter out gore, violence and child exploitation content, to give you an idea of the urgency. Hive has been asked for comment but did not immediately reply.