Printed from http://www.electronista.com

Snapchat vulnerability leaves phones open to attack

updated 01:55 pm EST, Sun February 9, 2014

Use of security tokens allows Snapchat denial of service attack

Snapchat, the picture based messaging platform, appears to have more problems on its hands after its recent account breach. It has been discovered that the program can be used in denial-of-service attacks against iOS and Android based phones to disable or crash the devices through sending thousands of messages to the device in a matter of seconds.

In a demonstration with the LA Times, Jaime Sanchez, a consultant for Telefonica, displayed the attack that takes advantage of the security token authorization Snapchat uses by recycling those non-expiring tokens to send new messages. Sanchez was able to send 1,000 messages in five seconds in a video showing that the attack froze the iPhone application and reset the phone. The phone appears to continue hanging up after restarting until the attack reaches its end.



By his calculations, using a script and several computers at once could "let an attack send spam to the 4.5 million leaked account list in less than one hour." The attack hasn't appeared in the wild so far, but given the wealth of information available from previous breaches, it will only be a matter of time. One loophole was closed that allowed the spoof of snaps from the teamsnapchat account to initiate the attack on any user since the account is on every friend list.

Sanchez notes on his blog that while the iPhone can experience a reset, Android phones have shown more resilience to the attack. They merely slow down and leave Snapchat unusable until the attack has run its course.

While Sanchez displayed the attack to media, he said that he chose not to inform Snapchat of the situation because of how they had handled issues in the past. Most notably because they ignored warnings from Gibson Security which tried to bring the possible exposure of user data to their attention that eventually came to fruition earlier this year.

In return it appears that Snapchat's solution to the problem was not to fix the issue or reach out to Sanchez, but rather to block his accounts and IP instead.





By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Samsung Galaxy S 5

The Samsung Galaxy S5 might be the phone that Android users have been craving for some time. Information coming out of Mobile World Co ...

STM Trust technology bag

The search for a good messenger bag that doubles as a laptop bag is something many travelers find themselves facing at least once. Bet ...

PenClic Bluetooth mouse

Windows 8 aside, computer users have been trained that a mouse is the proper way to navigate through the desktop for many years now. T ...

Sponsor

toggle

Most Commented

 
toggle

Popular News