A vulnerability in Snapchat allows attackers to launch denial-of-service attacks against users of the popular photo messaging app, causing their phones to become unresponsive and even crash.
According to Jaime Sanchez, the security researcher who discovered the issue, authorization tokens accompanying Snapchat requests from authenticated users don't expire.
[ The Web browser is your portal to the world -- and the gateway for security threats. InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
These tokens are generated by the app for every action -- like adding friends or sending snaps -- in order to avoid sending the password every time. However, since past tokens don't expire, they can be reused from different devices to send commands through the Snapchat API (application programming interface).
"I'm able to use a custom script I've created to send snaps to a list of users from several computers at the same time," Sanchez said. "That could let an attacker send spam to the 4.6 million leaked account list in less than one hour."
Hackers exploited a different vulnerability in Snapchat at the beginning of January to extract over 4.6 million phone number and user name pairs from the service. They then posted the list online.
However, in addition to spamming a large number of users, the new issue discovered by Sanchez can also be used to attack a single user by sending him hundreds or thousands of snaps using unexpired tokens.
When this attack is performed against a user who uses Snapchat on an iPhone his device will freeze and the OS will eventually reboot itself, Sanchez said.
The researcher demonstrated the attack against the iPhone of a reporter from the Los Angeles Times with his approval by sending 1,000 messages to the reporter's Snapchat account within five seconds. A video of the demonstration was also posted on YouTube.
"Launching a denial-of-service attack on Android devices doesn't cause those smartphones to crash, but it does slow their speed," Sanchez said. "It also makes it impossible to use the app until the attack has finished."
There is a limiting factor to this attack: the default privacy setting in Snapchat that only allows accounts in a user's friends list to send him snaps, meaning the attacker would first have to convince the targeted user to add him as a friend. According to Snapchat's documentation, sending a snap to a user without being in his list of friends will result in the user receiving a notification so they can add back the sender.
Users who changed their account's default privacy setting so they can receive snaps from anyone would be directly exposed to the attack described by Sanchez.
Snapchat did not immediately respond to a request for comment.