A Spanish researcher, Jaime Sanchez, along with another researcher have discovered a flaw in the Snapchat’s code that makes it possible for the hackers to launch denial-of-service attack.
Sending thousands of messages at one time through Snapchat to an individual user can cause the iPhone to freeze and eventually crash forcing the user to do a hard reset. If the apps is being used on an Android device, though the flaw does not cause it to crash, but it definitely slows down the device to such an extent that the application cannot be used till the hack is under process.
Snapchat is a popular mobile application for iPhone and Android that allows users to send across photos and videos. Once received, the messages gets deleted after being opened. Every time a user sends a message, a code is created to verify the user’s identity. The code called token is a combination of letters and numbers.
The drawback with the Snapchat apps, as discovered by Sanchez, is that it allows the used tokens to be re-used and this can be channelized by hackers to send new messages.
Sanchez demonstrated the Snapchat’s vulnerability to Los Angeles Times reporter Salvador Rodriguez by sending 1000 messages within 5 seconds to his iPhone causing the application to freeze and then crash.
Sanchez wrote about his flaw discovery on seguridadofensiva.com but has not contacted Snapchat because of the latter’s lack of respect for the cyber security research committee.
Earlier in August and December 2013, Snapchat was informed about a flaw that could divulge user data by Gibson Security. But it fell on their deaf ears and another group exploited the information to reveal the user names and phone numbers of nearly 5 million Snapchat subscribers.
When LATimes contacted Snapchat about the flaw reported by Sanchez, the company spokeswoman appeared ignorant but did say that they were interested to learn about it and gave their email address to be contacted.
However, the official website does contain a message informing users about their work on the vulnerability and their plans to contact Sanchez on the latest threat.
Meanwhile, Sanchez claims that his Snapchat account and IP address have been blocked by the app. The company could not be contacted to comment on that.