February 10, 2014
Yet another vulnerability has been found in popular messaging app Snapchat.
Security researcher Jamie Sanchez reported a vulnerability within Snapchat that puts the app at risk of a denial-of-service attack.
Simply by inundating an inbox with messages, hackers can immobilize and crash an iPhone, making it necessary for the user to reset their phone. While the same attack doesn’t crash an Android-powered device, it does make it run visibly slower, the Los Angeles Times is reporting.
According to the report, each time a user tries to send a message via Snapchat, a token — a code made up of letters and numbers — is produced to confirm the user’s identity. Sanchez, in a blog post written in Spanish, said a bug within Snapchat’s system enables hackers to recycle old tokens to send new messages. This ability enables them to send large volumes of messages either to a number of users or to launch a cyber-attack on specific individuals, Sanchez told the Times.
Sanchez first went to the Los Angeles Times with news of the flaw before alerting Snapchat, because he says the company “has no respect for the cyber-security research community.”
Snapchat, however, said it is “working to resolve the issue and will be reaching out to the security researcher who publicized the attack to learn more.”
Snapchat has been known in the past to ignore the warnings of security specialists.
Despite being notified of major security issue four months before the hack New Year’s Eve in which the attacker posted online the usernames and phone numbers of 4.6 million of the app’s users, Snapchat did nothing to increase its security.
Gibson Security first uncovered two major exploits — the ‘find friends’ hack and the ‘bulk registration’ hack — late last summer and immediately informed Snapchat.
The company did not update its application until days after the attack.
Since New Year’s, Snapchat has been hit by spammers — unwanted Snaps and disappearing photo messages were inundating its users. Its new security measure to solve ongoing issues was cracked within one day. Snapchat’s ‘find that ghost’ game at sign-up — a way to prove users are human and not a dreaded Internet robot — was described by computer expert Steve Hickson as “an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve.”
Jennifer Cowan is the Managing Editor for SiteProNews.