AAPL Stock: 118.88 ( + 1.13 )

Printed from

Snapchat vulnerability leaves phones open to attack

updated 01:55 pm EST, Sun February 9, 2014

Use of security tokens allows Snapchat denial of service attack

Snapchat, the picture based messaging platform, appears to have more problems on its hands after its recent account breach. It has been discovered that the program can be used in denial-of-service attacks against iOS and Android based phones to disable or crash the devices through sending thousands of messages to the device in a matter of seconds.

In a demonstration with the LA Times, Jaime Sanchez, a consultant for Telefonica, displayed the attack that takes advantage of the security token authorization Snapchat uses by recycling those non-expiring tokens to send new messages. Sanchez was able to send 1,000 messages in five seconds in a video showing that the attack froze the iPhone application and reset the phone. The phone appears to continue hanging up after restarting until the attack reaches its end.

By his calculations, using a script and several computers at once could "let an attack send spam to the 4.5 million leaked account list in less than one hour." The attack hasn't appeared in the wild so far, but given the wealth of information available from previous breaches, it will only be a matter of time. One loophole was closed that allowed the spoof of snaps from the teamsnapchat account to initiate the attack on any user since the account is on every friend list.

Sanchez notes on his blog that while the iPhone can experience a reset, Android phones have shown more resilience to the attack. They merely slow down and leave Snapchat unusable until the attack has run its course.

While Sanchez displayed the attack to media, he said that he chose not to inform Snapchat of the situation because of how they had handled issues in the past. Most notably because they ignored warnings from Gibson Security which tried to bring the possible exposure of user data to their attention that eventually came to fruition earlier this year.

In return it appears that Snapchat's solution to the problem was not to fix the issue or reach out to Sanchez, but rather to block his accounts and IP instead.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented