that's such a success story hitting 1M users as a hobby project, let alone from a teenager. I've never done anything close to this, and not for lack of trying...
I've been in Bay Area high tech software for a long time now, and more recently I've been participating more in the indie hacker scene. It is fascinating to me that I do know many extremely talented engineers who either dream of setting out on their own and never do, or they try and repeatedly fail. Then random novices in circumstances far removed from tech teach themselves a little coding online and start making 5 figure MRR quickly.
There are somewhat obvious explanations. Coding is only one subset of the skills to launch a successful software business, and not even the most important one. There's also a huge element of randomness and luck, especially for a single given project and especially for any type of free b2c social app. Also, people outside Silicon Valley bubble have access to unique social circles that can serve as community "bootstrapping", which would be especially important for a social app
Even knowing all that, there's an element of surprise when you see it happen.
I do suspect another big factor is that experienced people overthink things a bit, much like a child seems to learn a language faster than an adult but may only be more willing to make silly mistakes. Many of the best startups and indie projects would never be started by many experienced engineers because they're perceived as too simple, the market is too saturated, or simply they feel they'd look foolish for trying and failing to do something simple instead of trying and failing something complex.
> I do suspect another big factor is that experienced people overthink things a bit, much like a child seems to learn a language faster than an adult but may only be more willing to make silly mistakes.
The term for "failed to implement any kind of authorization in the API" isn't "silly mistakes", it's "professional negligence".
It's unethical to learn 101-level stuff by playing around with a million people's personal information. These guys should turn Hive off and never, ever turn it back on.
I think it's more that people outside of tech often also have great ideas that could potentially make a great MRR quickly, but most never even try, then a lot simply fail and you never hear from them too, then there's the ones who actually do learn all the coding required and other skills to make a successful website and actually do become successful, but by then the people you hear of being successful are of course just a small subset of the people who actually had a great idea for a successful business that would make high MRR quickly. So, to me, the idea or the need being solved is the primary driver of what ultimately makes a business successful, even though of course so many skills are required, amongst other things too.
All those things could be the case, but I think the most likely is that its just random, and unlikely you'll ever succeed in the first place.
Case in point, why did you first learn programming? Probably because you wanted to build something, maybe because you thought it could be a success. Everybody starts as a non-tech person getting into it with a specific goal, really what makes you a programmer is the fact you failed, and unless you gave up you tried again and learnt and became better at your craft. Not to say that those that succeed the first time don't, but its not as much as natural process.
I started programming, as a lot of people do, because I wanted to make a game (and still do), and like a lot of people that first get into game dev, my first goal was to avoid doing that messy programming work myself and find someone that can do it for me. Again, like many, I tried this for a while, until someone reminded me that everyone who does this got into it for the same reason as me, and if they know what they're doing why would they drop their dream game for mine (unless I was paying).
In this case, I suspect the biggest factor is simply having the right product at the right time. Twitter goes to hell and you've got a Twitter alternative ready to go? That's the perfect timing for a successful product/service.
It's no surprise that things like Hive, Mastodon and Cohost have exploded in popularity recently.
Of course, whether these products will be the ones that do well in the long run is still an unanswered question. Hive's security issues and temporary shut down came at the exact wrong time, Cohost's invite system is probably crippling it and people are still not 100% sure how to use Mastodon in some cases, so only time will tell which if any takes off.
> that's such a success story hitting 1M users as a hobby project, let alone from a teenager. I've never done anything close to this, and not for lack of trying...
Sounds like a lot of it is just being in the right place at the right time. Apparently most of the growth consists of people trying to flee Twitter due to Musk. Though doing that sounds like jumping from a sinking ship into a toy paper boat.
To be fair to them... thats a brave step for a startup to take. So many would try to stay quiet and fix the issues behind the scenes (hell, giant companies try this attempt all the time!). They made the right move here.
NB, I don't use Hive and have no interest, I moved to Mastodon because I want to be in control of my data moving forward.
4 days from reporting to public posting is not a responsible disclosure policy. Even if they are slow in responding, the usual grace period is about 4 weeks if I recall.
1. They haven't disclosed anything of use to an attacker.
2. According to the post, Hive responded and said the issues had been fixed. Obviously they haven't, and at this point OP seems to have decided that the most responsible thing to do was to warn users of the platform that they aren't safe.
> 1. They haven't disclosed anything of use to an attacker.
I also don't believe this is "responsible" disclosure, but I also don't think it's fair to say this information is of no use.
To me this clearly signifies that there is no back-end authentication on their API. The whole app is probably written in JS with a simple database on the backside with no serious middleware on the server side. It would probably not be difficult to reverse engineer this hack by monitoring requests using simple dev tools, and then simply replaying them with altered content.
They don't offer a guide or any details about the exploit, this isn't really disclosure in the normal sense. Aside from any possible alterior motives the author may be just trying to light a fire under hive social's ass to get it fixed.
So, not disclosure from a security ops / policy perspective, but it is 'disclosure' this the equivalent of a 'here be dragons' comment on a map ... an endorsement for the 'curious'
I wanted Mastodon to replace Twitter so we can finally see a mainstream Federated social media, to break free of corporate control over social expressions.
But with the Hive there is nothing unique, its a Twitter clone, which doesn't offer any technical or operational benefits, and also no major features.
if we are still going to use a centralized network, might as well just continue using Twitter, a network with an existing social circle.
But whatever you thought of the old Twitter policy, that obviously changed. And they could’ve made that change without a new owner if they had chosen to.
Got a price on Andreessen being an investor in Hive? I just checked in Crunchbase and it looks like they’ve raised $3M but no specifics. And all I’m able to find is that it’s from an unnamed angel investor.
$3M seems small potatoes for Andreessen unless he’s trying to do a Tab vs Diet Coke thing and corner all the options.
That 75% of Twitters userbase, per their own admission, is not from the USA, and fall under laws that requires Twitter to do better at moderating their platform.
> The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.
> Attackers can also overwrite data such as posts owned by other users
its with the shortcuts app. you can make little actions that appear in the share menu. I have one for downloading videos from twitter for example. It’s pretty limited in what it can do, but ive seen some cool shit people have made with it
I once needed to download PDFs from emails, and then post just one page from each to a Web form – and all I had was an iPhone and 3G at a Caribbean beach bar. Shortcuts are less limited than I thought!
Wouldn't be surprised if it was just replacing a post ID in the update call to someone else's post and server thinks it's fine. Anyone investigated yet?
[edit] Just read they took the server down, we will never know now.
[edit2] Astonishing how supportive the users are. I don't think a lot of users want to understand that all their data is on the streets. It's like they're actually deciding in what they want to believe. Seems to be a trend in society.
They couldn't have given them even a week before disclosing? Seems more black hat than white hat to do the disclosure this way (resulted in the app getting taken down).
> After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported still exist...
its a bit unfair to imply they engaged in some kind of irresponsible disclosure, they haven't disclosed any of the exploits.
Is it? Can't people read your DMs on Mastodon as well? If that is your concern then seems like all things are equal. I'm being somewhat obtuse but I don't see how Mastodon is a reasonable replacement for Twitter.
Unless a service or protocol provides end-to-end encryption, you should not use its messaging features for anything truly sensitive.
And no, this is not equal. The Hive authors seem to have completely failed to implement authorization for their API, allowing (it seems) anyone with a valid auth token to make a request as any other user, granting everyone access to everyone else's data.
This is a "car company doesn't know what seat belts are" level of incompetence.
It would helpful if the reporter confirmed that this is an issue with this particular front-end and not with Hive in general.
Steem/Hive was the first web3 offering and a lot of new 'web3' projects that are getting a lot of publicity have yet to catch up the basics that Steem/Hive had in place 6 years ago.
Caveat emptor.