Snapchat’s app contains a vulnerability that again allows hackers to infiltrate its system to initiate an attack that temporarily freezes a user’s iPhone. The denial-of-service attack vulnerability was discovered by a researcher in cyber security.
The researcher, Jaime Sanchez, is a consultant for Telefonica, a Spanish telecommunications firm. Sanchez claims that another researcher and he discovered a flaw in Snapchat’s code that hackers can take advantage of in order to send thousands of messages within a matter of seconds to individual users. Distancing himself from Telefonica, Sanchez claims that he and his colleague did the research and made the discovery while they were not at work.
Receiving such a large number of messages at one time can cause the app to become overwhelmed, which causes the iPhone itself to freeze and then crash. It may also force the user to do a hard reset.
Snapchat is a widely-downloaded app for Android devices and the iPhone on which users can send videos and photos to other users. Once received, the messages are deleted just seconds after being opened.
When a user sends a message within the app, a code consisting of letters and numbers called a token is created in order to verify the user’s identity. The flaw in Snapchat’s code is that it allows hackers to use tokens that have already been used in order to send new messages. Reusing the old tokens allows hackers to use powerful computers to send an extremely large amount of messages to multiple users or to initiate on attack on isolated users.
Although Snapchat is also vulnerable on Android devices, the hackers would not cause them to crash like iPhones, but it will slow up the user’s device to such an extent that the app is unusable until the hack is finished.
Although Sanchez is talking to media, he has not told Snapchat about their system’s weakness due to the disregard it showed for other researchers who warned them of a different flaw in their app both in August and in December of last year. The company ignored the warnings, which caused a different security group to use the flaw to publish online nearly 5 million of Snapchat’s user names and phone numbers.
When the L.A. Times asked the company if they were aware of the flaw that Sanchez claims exists, a spokeswoman stated that it was unaware of the issue; but they were interested in learning about the vulnerability and gave their email address. Their website now contains a message informing users that they are currently working on a solution and will be contacting Sanchez to obtain more information on the newest threat to their system.
With the consent of L.A. Times reporter Salvador Rodriguez, Sanchez demonstrated the security vulnerability of Snapchat by sending 1000 messages in the space of five seconds to Rodriguez’ iPhone, which caused the app to freeze and the phone to crash.
Meanwhile, Sanchez claims that due to his demonstrating the newest way that Snapchat can be hacked and freezing up the reporter’s iPhone, his accounts and his IP address have been blocked by the app. The company was unavailable for comment on that issue.
By Jennifer Pfalz