SOCIAL PHOTOBOOTH APP Snapchat is exposing iPhone users to denial of service attacks that cause the device to freeze and crash.
A security researcher who works for Telefonica, Jaime Sánchez demonstrated in a blog post how vulnerabilities in the app's use of security tokens mean that an attacker can send spam to the 4.6 million leaked account list in less than one hour.
Sánchez highlighted that the problem is that Snapchat, like many apps, uses security tokens for authentication.
Security tokens prove users' identities electronically in place of a password, and verify that the customer is who they claim to be so they don't have to exchange the original password that might be captured by attackers.
A token is created any time you make a request to Snapchat to update your contact list, add someone or send a snap, for example. That's called a request token, and it's based on your password and a timestamp.
"The problem is that tokens [don't] expire," Sánchez said. "I've been using for the attack one token [created] almost one month ago. So, I'm able to use a custom script I've created to send snaps to a list of users from several computers at the same time."
Launching a proof of concept attack to demonstrate that the vulnerability is there, Sánchez added that any attacker could just send all of the snaps to only one user as a DDoS attack.
"On iPhone, it will crash [your] phone and when it powers up, it still hangs until the attack is over," Sánchez said, demonstrating this in a video, as seen below.
He demonstrated how this works by launching a Snapchat denial of service attack on an account.
"I sent his account 1,000 messages within five seconds, causing the device to freeze until he finally [it] shut down and [it] restarted itself," he said.
On Android devices, a denial of service attack doesn't cause those smartphones to crash, but instead slows them down. It also makes it impossible to use the app until the attack has finished.
Despite warning the company, Sánchez said Snapchat still hasn't resolved the issue.
"You still can use the same token for several request, so the attack is still working. They told press they would contact the researcher to get more info to solve the problem. I didn't get any email."
Snapchat has banned Sánchez' two testing accounts, though, and the VPN IP used to launch the proof of concept attack.
Last month, Snapchat was hit by a spam campaign that lured users with sexually suggestive photos and compromised URLs.
Discovered by Symantec, the spam messages, which usually involve an image of a scantily clad female draped in a robe, a towel or much less, also include some text asking users to "Add my Kik" along with a specially crafted user name on the Kik instant messaging app. µ