Snapchat Security Flaw Allows Attackers to Remotely Crash iPhone

by Istvan Fekete on February 10, 2014

Just in case you’re sat back relaxed thinking that Snapchat, one of your favourite apps, is safer than ever before, here is something that should wake you up to reality: the app is making headlines once again due to its security flaws.

A new security issue discovered by researcher Jaime Sanchez allows an attacker flood an iPhone with messages and cause it to crash. It is a simple error in the way the application for iOS handles security tokens, which makes the iPhone vulnerable to a denial-of-service attack that ends up with the device crashing.

In a detailed description of the flaw, Sanchez explains the root cause: it’s because Snapchat’s security tokens do not expire. Snapchat tokens are generated to authenticate a user’s identity every time they send a new message or update their contact list.

So, how can this become an issue? Simple: because tokens don’t expire, they can be re-used not once, but many times, and used to send out spam from multiple devices to Snapchat users or to direct a load of requests to one targeted device.

“I’m able to use a custom script I’ve created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour,” he wrote. “The other problem is that any attacker could just send all the snaps to one user only, as a Denial of Service attack.”

Sanchez didn’t stop at sharing his findings through his blog post. He also contacted the LA Times and demonstrated that he could use his account to send 1,000 messages to a reporter’s iPhone in just five seconds. This obviously caused the iPhone to crash.

He also told the LA Times that he had informed Snapchat about the flaw after posting about it on the Web. He decided not to report this flaw to the US company first, because they didn’t respect the work of security researchers (see previous leak of 4.6 million Snapchat user details).

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Comments on this entry are closed.

Previous post:

Next post: