College social app Fizz is growing fast – maybe too fast • TechCrunch

Things are bleak in the tech sphere as we close out a year defined by plummeting stocks, persistent mass layoffs and a fall from grace for major social media companies. Yet Stanford dropout Teddy Solomon’s story of co-founding Fizz is so reminiscent of Facebook that he was introduced to his investor and now-CEO Rakesh Mathur as “the next Mark Zuckerberg.” So, is it a good time to be building a buzzy new social app, or is it a complete mess?

Venture capitalists at least seem to be eager to fund the future of social media. Fizz closed a $4.5 million seed round in June, and already, the social media app for college students raised its $12 million Series A. This fast growth from seed to Series A is almost unheard of in a bear market, but Fizz seems to be embracing the ethos to move fast and (hopefully not) break things.

Fizz is only available to college students, and users can only access the Fizz community for their own college. On the app, students can publish text posts, polls and photos without a username or identifying information attached. Like Reddit, classmates can upvote or downvote what they see in their feed. Users can DM each other, choosing to reveal their identity if they so desire.

When TechCrunch covered Fizz’s seed round in October, the app had launched on 13 campuses (each campus has its own individual community). In under two months, that number has doubled to 25 campuses. With the help of its Series A, led by NEA with participation from Lightspeed, Rocketship, Owl Ventures, Smash Ventures and New Horizon, Fizz’s goal is to reach 1,000 campuses by the end of 2023.

“What we’ve found is that Fizz is impactful across a variety of campus cultures, from highly academic Ivy League schools to party schools and now HBCUs,” co-founder and COO Teddy Solomon told TechCrunch. “Fizz is all about providing students with a safer, private and engaging space to connect about their shared experience of living on the same college campus, whatever that experience and culture may be.”

Fizz says it has reached 95% penetration among iPhone users (it doesn’t have an Android app yet) on campuses like Stanford, Dartmouth, Pepperdine and Bethune-Cookman — but the download numbers might be a bit inflated, since Fizz employs tactics like offering free donuts in exchange for downloads, which is standard among college-founded apps. Regardless, Fizz claims that over half of its users are engaging with the app every day, an impressive statistic in itself.

Fizz’s ascension has not been without conflict, though.

As reported by the Stanford Daily earlier this month, Fizz had a serious security vulnerability in November 2021. Three Stanford students discovered that anyone could easily query the app’s Google Firestone-hosted database to identify the author of any post on the platform, where all posts are billed as anonymous. They also found users’ personal information like phone numbers and email addresses — plus, the database was editable, which made it possible to edit posts and give any user moderator status.

“As soon as we became aware of the vulnerability, we worked with a security consultant who helped us to resolve that specific issue in 24 hours which ended the risk for our users. Subsequently, we notified all of our users of the fix and published the changes on our website,” Ashton Cofer, Fizz’s co-founder and CTO, told TechCrunch. Fizz told users about the issues via a blog post.

It is industry standard that when good-faith researchers find such glaring vulnerabilities, they report their findings to the company so that they can be mended before bad actors can exploit them. But these well-intentioned students told the Stanford Daily that “Fizz’s lawyer threatened us with criminal, civil, and disciplinary charges unless we agreed to keep quiet about the vulnerabilities.” The student newspaper obtained a copy of the letter (note: Fizz was called Buzz at the time).

Lawyers from the Electronic Frontiers Foundation (EFF) represented the three Stanford students in a response to Fizz’s legal threat.

“Your legal threats against the students endanger security research, discourage vulnerability reporting, and will ultimately lead to less security,” the EFF lawyers replied to Fizz.

TechCrunch asked Fizz why its team chose to pursue legal action at the time. Cofer said that he and Solomon had followed the recommendations of a cyber security consultant.

“Following the letter, we sat down with the hackers and resolved the matter amicably, and no further legal action has been pursued,” he said. “As we were a small team at the time, we chose to follow the advice of our consultants and legal counsel and we’re glad we were able to close out the discussion with the researchers on good terms.”

Cofer added that the security vulnerability also stemmed from the fact that the team was so small at the time — it was just Cofer and Solomon, who were then full-time college students. Now, Cofer says Fizz has a team of 25 employees, including engineers with decades of experience.

“Our security practices have significantly evolved and we remain committed to the security and privacy of our users as Fizz grows. Following this incident, we have ensured that the personal identifiable information (PII) of our users is stored in a separate, secure database, which is only accessible by Fizz administrators. This means that at no point can Fizz users, moderators or launch teams see another user’s PII,” Cofer said. Fizz outlines its security practices in more depth on its website.