The photosharing service Snapchat is facing yet another security headache now that a denial of service attack that targets iPhone and Android device users has been discovered. The company fumbled in early January with its handling of a security breach that let hackers make off with 4.6 million user names and phone numbers, and now it is faced with the news that its own app security system can be used to crash and reset victim's iPhones.
Snapchat security can be used in DoS attack
Security consultant Jamie Sanchez discovered that by recycling the Snapchat's own security authorization tokens to send thousands of messages over several seconds to a victim's iPhone, leading to a device crash and reset. Since the security tokens don't expire, hackers can reuse them to target individual users with a denial of service attack, or send spam messages to thousands of users.
Since attackers can continue to flood victim's accounts with messages, their iPhones could potentially remain unusable until the digital assault stops. Android users suffer from performance loss and an inability to use the Snapchat app, but their devices don't crash from the attack.
Snapchat was criticized in early January when a group of hackers used the company's own APIs, or the special pieces of code that let developers link their own apps into Snapchat, to collect 4.6 million user names and phone numbers. The hackers posted the information on the Internet, and to add insult to injury, Snapchat had been warned of the vulnerability months in advance.
The company talked around the flaw and referred to it as "Find Friends Abuse" since the hack takes advantage of Snapchat's ability to use phone numbers to see if someone uses the service. Snapchat released an app update a few days later that let users unlink their phone number from their account, but continued to downplay the security issue.
Mr. Sanchez said he didn't bother to alert Snapchat because of how the company handled the earlier security flaw. "[Security researchers] warned Snapchat about issues -- about the possible dump of database -- and Snapchat didn't care," he said.
Instead, he demonstrated the flaw to the LA Times. During the demonstration, Mr. Sanchez sent 1,000 messages to a reporter's iPhone over five seconds, causing a hard crash and device reboot. Snapchat told the paper it wasn't aware of the security flaw, then shut down Mr. Sanchez's account and blocked his IP addresses.
Mr. Sanchez posted a photo on Twitter as proof, saying "My two accounts and IPs involved in the research of the Snapchat Dos has been banned. That's their countermeasure."
The Mac Observer has reached out to Snapchat asking about their plans for dealing with authentication token issue. We have not yet heard back from the company.