A design flaw in popular photo messaging application Snapchat could allow a malicious user to send thousands of messages to an account simultaneously, effectively performing a denial-of-service attack, according to security researcher Jaime Sanchez. The flaw is the latest in a series of software security tussles that have arisen around the company in recent months.
Sanchez, a consultant for Spanish telecom company Telefonica, discovered the flaw along with another researcher on his own time, the Los Angeles Times reported. He found that Snapchat uses security tokens for authentication whenever a request is made to the service's servers. In other words, a request token is created any time users add a friend, update their contact list or send a message. The problem is that these tokens aren't set to expire, which means an attacker can reuse an old token to send new messages.
"The original idea of using request tokens is to force users to create one, and then discard it for next time," Sanchez wrote in a blog post. "So, if you're an authenticated user, you'll be able to create another time and then make another request. The problem is that tokens doesn't [sic] expire."
With a simple script run on a computer, an attacker could easily use the same token to spam thousands of accounts or send thousands of messages to a single account. Sanchez demonstrated the latter scenario to an LA Times reporter, flooding the reporter's iPhone with 1,000 messages in five seconds. This caused the phone to freeze and restart itself. According to Sanchez, this is likely because the attack also overloads iOS's Push Notification service. While a denial-of-service attack on an Android device would not cause the phone to crash, it would begin to run extremely slowly, and the app becomes unusable for the duration of the attack.
Sanchez told the LA Times that he did not report the issue to Snapchat because of the lack of respect the company has shown toward the software security community in other recent incidents. For instance, at the end of last year, researchers at Gibson Security published an exploit that would allow mass theft of Snapchat user info after reportedly receiving no response from the company. Hackers quickly used the exploit to pull account data for 4.6 million users.
Snapchat, which also has recently turned down acquisition offers worth billions, could suffer in the public eye if such software security incidents continue to occur. According to Sanchez, the company has still not addressed his flaw, although it did disable the accounts he used to generate his proof of concept attack.
As other companies look to emulate Snapchat's success in attracting industry attention and investment, using tools like source code analysis software during the development process can be a cheap, effective way to catch simple but potentially damaging flaws such as security tokens that are not set to expire. With a rigorous security mindset during development, companies can minimize their risk.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.