Snapchat vulnerability can afflict iPhones
10 Feb 2014
A cyber security researcher has uncovered a vulnerability within the photo messaging application Snapchat mobile app that allows hackers to launch a denial-of-service attack that temporarily froze a user's iPhone.
According to Jaime Sanchez, a cyber-security consultant for Telefonica, a major telecommunications company in Spain, he and another researcher found a weakness in Snapchat's system that allowed hackers to send thousands of messages to individual users in a matter of seconds. According to Sanchez, he and the fellow researcher discovered the glitch independently.
Flooding one user with so many messages could clog their account to the point that the Snapchat app caused the entire device to freeze and ultimately crash, requiring a reset to be performed by the user.
With Snapchat, a popular mobile app for iPhone and Android devices, users can send each other photo and video messages that disappear a few seconds following opening by their recipients.
Every time a user attempted to send a message through Snapchat, a token, which was a code made up of letters and numbers, was generated to verify their identity. According to Sanchez, a flaw within Snapchat's system allowed hackers to reuse old tokens to send new messages.
By reusing old tokens, hackers can send massive amounts of messages using powerful computers. This method could be used by spammers to send messages in mass mails to numerous users, or it could be used to launch a cyber attack on specific individuals, he said.
Tech Crunch said, the bug could allow hackers to overload an inbox with messages, and crash the iPhone, requiring the user to reset their device, and made Android devices noticeably slower.
In a statement Snapchat said, they were working to resolve the issue and would be reaching out to the security researcher who publicised the attack to learn more.
The security researcher had complained that Snapchat had no respect for cyber security research community, which had been proved recently when it ignored researchers' warning about a security hole that could expose user data.
To make good their point, researchers ultimately published phone numbers of about 4.6 million users.