Another shot has been fired at the security of a popular photo messaging service that has recently been in the crosshairs of security researchers.
According to security expert Jaime Sanchez, a flaw in the Snapchat app for iOS could be used to launch a denial-of-service attack and cause the device to crash. The problem, he explained in a blog post, is that the security Snapchat uses for authentication don’t expire.
“I’ve been using for the attack one token created almost one month ago,” he blogged. “So, I’m able to use a custom script I’ve created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less than one hour.”
The list he is referring to is a collection of phone numbers and associated usernames posted online roughly a month ago by hackers taking advantage of an exploit revealed by Gibson Security in December. That particular exploit abused a security hole Gibson Security first notified Snapchat about in August.
To demonstrate his attack, Sanchez launched a denial-of-service attack on the phone of a LA Times reporter and was able to send his account 1,000 messages within five seconds. This caused the device to freeze until the reporter shut it down and restarted the phone.
“All push notifications systems work by having the mobile operating system (iOS in this case) issue an address which app publishers use to specify the delivery of the notification to the device,” he explained. “Apple Push Notification service transports and routes a notification from a given provider to a given device. A notification is a short message consisting of two major pieces of data: the device token and the payload. The device token is analogous to a phone number, and provides the required authentication for Apple to deliver a push message to the intended app.”
“Probably, Snapchat’s application doesn’t handle and control all the request and updates you receive, because of a poor implementation,” he continued. “So when you’re under this kind of attack, it might be crashing the device through the Push Notification System or something worse.”
Launching a denial-of-service attack on Android devices doesn’t cause those smartphones to crash, but it does slow their speed, he added. It also makes the app unusable until the attack has finished.
Snapchat did not respond to a SecurityWeek request for comment before publication. The company however has banned the two accounts Sanchez used for his demonstration.