Printed from http://www.electronista.com

Snapchat vulnerability leaves phones open to attack

updated 01:55 pm EST, Sun February 9, 2014

Use of security tokens allows Snapchat denial of service attack

Snapchat, the picture based messaging platform, appears to have more problems on its hands after its recent account breach. It has been discovered that the program can be used in denial-of-service attacks against iOS and Android based phones to disable or crash the devices through sending thousands of messages to the device in a matter of seconds.

In a demonstration with the LA Times, Jaime Sanchez, a consultant for Telefonica, displayed the attack that takes advantage of the security token authorization Snapchat uses by recycling those non-expiring tokens to send new messages. Sanchez was able to send 1,000 messages in five seconds in a video showing that the attack froze the iPhone application and reset the phone. The phone appears to continue hanging up after restarting until the attack reaches its end.



By his calculations, using a script and several computers at once could "let an attack send spam to the 4.5 million leaked account list in less than one hour." The attack hasn't appeared in the wild so far, but given the wealth of information available from previous breaches, it will only be a matter of time. One loophole was closed that allowed the spoof of snaps from the teamsnapchat account to initiate the attack on any user since the account is on every friend list.

Sanchez notes on his blog that while the iPhone can experience a reset, Android phones have shown more resilience to the attack. They merely slow down and leave Snapchat unusable until the attack has run its course.

While Sanchez displayed the attack to media, he said that he chose not to inform Snapchat of the situation because of how they had handled issues in the past. Most notably because they ignored warnings from Gibson Security which tried to bring the possible exposure of user data to their attention that eventually came to fruition earlier this year.

In return it appears that Snapchat's solution to the problem was not to fix the issue or reach out to Sanchez, but rather to block his accounts and IP instead.





By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Cat B100

Cat is primarily known for its heavy-duty machinery used in the construction industry and farming, among other areas. What may not be ...

Linksys EA6900 AC Router

As 802.11ac networking begins to makes its way into more and more devices, you may find yourself considering an upgrade for your home ...

D-Link DIR-510L 802.11AC travel router

Having Internet access in hotels and other similar locations used to be a miasma of connectivity issues. If Wi-Fi was available, it wa ...

Sponsor

toggle

Most Commented

 
toggle

Popular News