Snapchat’s latest security woes have drawn more negative attention to the popular mobile application. This particular flaw enables attackers to spam other users’ iPhones with messages and crash them.
Details of the security flaw
Security researcher Jamie Sanchez uncovered the flaw and reported on it in a recent blog post. He explained that the problem is easy to understand as Snapchat uses security tokens to authenticate. These security tokens are used to identify the user electronically in lieu of a password. These tokens are created anytime the user requests Snapchat to send a picture, add someone, or update the contact list. The idea behind this is to create fresh tokens every time the user logs in and then the tokens are discarded afterward.
Snapchat causing system problems and iPhone crashes
Sanchez elaborates, “The problem is that tokens doesn’t expire. I’ve been using for the attack one token create almost one month ago. So, I’m able to use a custom script I’ve created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour. The other problem is that any attacker could just send all the snaps to one user only, as a Denial of Service attack. As you’ve seen on the video, on iPhone, it will crash you phone and when it powers up, it still hangs until the attack is over.”
ValueWalk's Raul Panganiban interviews William Burckart, The Investment Integration Project’s President and COO, and discuss his recent book that he co-authored, “21st Century Investing: Redirecting Financial Strategies to Drive System Change”. Q1 2021 hedge fund letters, conferences and more The following is a computer generated transcript and may contain some errors.
Users with friends-only settings shouldn’t have to worry too much as this flaw doesn’t affect them. Snapchat also blocked the accounts demonstrated. This isn’t the first time Snapchat had issues. Last December, the company was not using request tokens which enabled some users to remove it from the request as they sent the snap. The company’s servers also didn’t check the system which could allow users to spoof snaps from other user accounts.