Hive is a My First App project from a teen who taught herself to code in 2019 (<a href="https://www.hivesocial.app/about-us" rel="nofollow">https://www.hivesocial.app/about-us</a>).<p>Caveat emptor.
Hive just shut down their entire app: <a href="https://twitter.com/TheHIVE_Social/status/1598119071907991552" rel="nofollow">https://twitter.com/TheHIVE_Social/status/159811907190799155...</a>
4 days from reporting to public posting is not a responsible disclosure policy. Even if they are slow in responding, the usual grace period is about 4 weeks if I recall.
I wanted Mastodon to replace Twitter so we can finally see a mainstream Federated social media, to break free of corporate control over social expressions.<p>But with the Hive there is nothing unique, its a Twitter clone, which doesn't offer any technical or operational benefits, and also no major features.<p>if we are still going to use a centralized network, might as well just continue using Twitter, a network with an existing social circle.
Critical security vulnerability in an iOS-exclusive app? I bet they're using CloudKit and forgot to implement server-side access control. (Even Apple screws that up half the time: <a href="https://labs.detectify.com/2021/09/13/hacking-cloudkit-how-i-accidentally-deleted-your-apple-shortcuts/" rel="nofollow">https://labs.detectify.com/2021/09/13/hacking-cloudkit-how-i...</a>)
summary quotes:<p>> The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.<p>> Attackers can also overwrite data such as posts owned by other users
At least one other person reported Hive Social vulnerabilities recently: <a href="https://twitter.com/zhuowei/status/1597739467645030400" rel="nofollow">https://twitter.com/zhuowei/status/1597739467645030400</a>
Slightly off topic:<p>In the video of the post you can see an option of run a script in an iPhone.<p>What's that option?
It's really an iPhone?
What are the capabilities of that functionality?
Don’t worry, I won’t.<p>Snark aside, I think the current platforms are going to be the only ones folks use; and then there’s going to be stuff that is entirely different.<p>These clones are getting just silly.
Wouldn't be surprised if it was just replacing a post ID in the update call to someone else's post and server thinks it's fine. Anyone investigated yet?<p>[edit] Just read they took the server down, we will never know now.<p>[edit2] Astonishing how supportive the users are. I don't think a lot of users want to understand that all their data is on the streets. It's like they're actually deciding in what they want to believe. Seems to be a trend in society.
They couldn't have given them even a week before disclosing? Seems more black hat than white hat to do the disclosure this way (resulted in the app getting taken down).
Just want to point out that Hive Social is completely unrelated to Hive Blog (which is also a social network of sorts on the Hive blockchain).<p><a href="https://hive.blog/" rel="nofollow">https://hive.blog/</a>
It would helpful if the reporter confirmed that this is an issue with this particular front-end and not with Hive in general.<p>Steem/Hive was the first web3 offering and a lot of new 'web3' projects that are getting a lot of publicity have yet to catch up the basics that Steem/Hive had in place 6 years ago.