Hive Hexagons

Hive Social pulls the plug on itself after security flaws found

You may well have changed your social media site of choice recently, but that doesn’t mean the security implications of less familiar sites and services can be ignored.

For the sites themselves, coping with an influx of new users can be nothing short of a large headache. And even the more established entities like Mastodon—which is experiencing increased scrutiny alongside its recent boom in popularity—are not left unscathed from complaints and potential security issues.

Indeed, even Infosec Mastodon is feeling the occasional pinch at the moment.

Enter stage left: Hive Social

Elsewhere, you have totally new services springing up such as Hive Social. The app-only service which superficially resembles Twitter has ended up with one million users in a very short space of time, thanks to snowballing word of mouth.

At the time of the Hive popularity explosion, concerns were raised about the incredibly small team behind the app. The CEO of Hive told Mashable that, in relation to worries about it just being two people running things:

“…it’s been two people for two years. We are used to functioning this way”.

Social media and similar ventures have a long history from the early days of being self funded, with people at the helm who taught themselves how to code. Start small, make money, and as the problems scale so too does the business. Things have moved on since then, and there’s now an endless deluge of issues to contend with. Invasive data requests from Governments and law enforcement. A legal team to deal with said requests. Moderation on a grand scale. Government concerns. DCMA processes. The perils of CSAM.

As the problems grew, so too did the teams on the other side with the legal and technical chops to scale with varying levels of success. Even then, the biggest social media platforms in the world don’t have anything approaching permanent solutions for these issues. Could two or three people really deal with all of this? What happens when the first big issue arises and you have a million users to contend with?

The answer is, you end up shutting down your service completely to fix a security flaw.

Hive Social pulls the plug

Hive was taken offline last Wednesday, after researchers found security issues which could have had major ramifications for service users. It is claimed that attackers would be able to access all data, which would extend to private messages, private posts, and deleted direct messages.

Additionally, posts made by other users could also be overwritten. The team of researchers held back on releasing specifics of the vulnerabilities, as they couldn’t be sure of exploitation. There were claims that at least some of the issues reported were still active after the supposed two day timeframe given by Hive Social to get everything fixed. It should be noted that there are some quibbles over the timelines talked about publicly. The researchers disagreed over whether or not Hive Social claimed everything had been fixed within a specific timeframe, or whether they were being addressed in an ongoing fashion:

In fact, this is addressed in an update to the original research piece where a paragraph has been rewritten due to a “Miscommunication between Hive’s CEO and us”. Stand down, everyone!

Down but not out

At time of writing, Hive is still not back from its self imposed exile.

I’m struggling to think of another social media network which hit the “too big, too soon” apex point and wound it up with a total outage plug pull shortly after. With only a handful of staff available, it wouldn’t be surprising to find out that the security issues have had to be outsourced to try and solve. These things take time, and it’s possible that Hive may be down for a little while longer.

The best case scenario is that nobody with bad intentions discovered the security flaws and harvested user data. For a service so young, it could easily be a fatal blow. Why stick around to find out what goes wrong next, when you could just move somewhere more established and be done with it?

Anyway, good luck to this fledgling social media app and also all of its users. Fun and safe alternatives for your online interactions are always a good thing. Let’s hope Hive Social can deliver.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.