updated 01:55 pm EST, Sun February 9, 2014
Use of security tokens allows Snapchat denial of service attack
Snapchat, the picture based messaging platform, appears to have more problems on its hands after its recent account breach. It has been discovered that the program can be used in denial-of-service attacks against iOS and Android based phones to disable or crash the devices through sending thousands of messages to the device in a matter of seconds.
In a demonstration with the LA Times, Jaime Sanchez, a consultant for Telefonica, displayed the attack that takes advantage of the security token authorization Snapchat uses by recycling those non-expiring tokens to send new messages. Sanchez was able to send 1,000 messages in five seconds in a video showing that the attack froze the iPhone application and reset the phone. The phone appears to continue hanging up after restarting until the attack reaches its end.
By his calculations, using a script and several computers at once could "let an attack send spam to the 4.5 million leaked account list in less than one hour." The attack hasn't appeared in the wild so far, but given the wealth of information available from previous breaches, it will only be a matter of time. One loophole was closed that allowed the spoof of snaps from the teamsnapchat account to initiate the attack on any user since the account is on every friend list.
Sanchez notes on his blog that while the iPhone can experience a reset, Android phones have shown more resilience to the attack. They merely slow down and leave Snapchat unusable until the attack has run its course.
While Sanchez displayed the attack to media, he said that he chose not to inform Snapchat of the situation because of how they had handled issues in the past. Most notably because they ignored warnings from Gibson Security which tried to bring the possible exposure of user data to their attention that eventually came to fruition earlier this year.
In return it appears that Snapchat's solution to the problem was not to fix the issue or reach out to Sanchez, but rather to block his accounts and IP instead.
My two accounts and IPs involved in the research of the Snapchat DoS has been banned. That's their countermeasure... pic.twitter.com/W5XOkkkQNc— Jaime Sanchez (@segofensiva) February 8, 2014