Snapchat’s security issues are drawing attention once again, this time a cyber security researcher has discovered a vulnerability within the Snapchat mobile app that makes it possible for hackers to launch a denial-of-service attack that temporarily freezes a user’s iPhone. By exploiting a flaw in photo messaging service Snapchat, an attacker could render victims’ iPhones temporarily inoperable by flooding their account with messages.
Security consultant Jamie Sanchez discovered that by recycling the Snapchat’s own security authorization tokens to send thousands of messages over several seconds to a victim’s iPhone, leading to a device crash and reset. Since the security tokens don’t expire, hackers can reuse them to target individual users with a denial of service attack, or send spam messages to thousands of users.
Snapchat was criticized in early January when a group of hackers used the company’s own APIs, or the special pieces of code that let developers link their own apps into Snapchat, to collect 4.6 million user names and phone numbers. The hackers posted the information on the Internet, and to add insult to injury, Snapchat had been warned of the vulnerability months in advance.
Sanchez detailed his findings in a blog over the weekend, explaining the root cause is that Snapchat’s security tokens don’t expire. As Sanchez explains, new Snapchat tokens are generated to authenticate a user’s identity each time they send a new message or update their contact list. But because the tokens don’t expire, they can be re-used multiple times — either to send out spam from multiple devices to Snapchat users or to direct a load of requests at one target device.
“I’m able to use a custom script I’ve created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour,” he wrote. “The other problem is that any attacker could just send all the snaps to one user only, as a Denial of Service attack.”
Instead, he demonstrated the flaw to the LA Times. During the demonstration, Mr. Sanchez sent 1,000 messages to a reporter’s iPhone over five seconds, causing a hard crash and device reboot. Snapchat told the paper it wasn’t aware of the security flaw, then shut down Mr. Sanchez’s account and blocked his IP addresses.
Mr. Sanchez posted a photo on Twitter as proof, saying “My two accounts and IPs involved in the research of the Snapchat Dos has been banned. That’s their countermeasure.”
Snapchat issued a statement saying they were working to resolve the issue and would be reaching out to the security researcher who publicized the attack to learn more.
The security researcher has complained that Snapchat has no respect for cyber security research community, which was proved recently when the service did not pay much heed to researchers’ warning about a security hole that could expose user data and the researchers ultimately published phone numbers of about 4.6 million users to prove their point.
To get our android application click here.
Latest posts by Anurag (see all)
- Off-road and On-road Tata Hexa Experience for the car lovers - December 29, 2016
- Friends who define the true equation of Friendship - October 7, 2016
- Freecharge, the Best Digital Wallet in the Digital Ecosystem - September 28, 2016