Telefonica cyber security consultant Jaime Sanchez and fellow researcher Pablo San Emeterio discovered a weakness in the Snapchat iOS app over the weekend, with the vulnerability allowing would-be hackers to send thousands of messages to users in a matter of seconds.
Detailing his findings in a blog post, Sanchez said that sending this many messages to each user can ultimately fill up their account to that extent where the iPhone freezes, crashes and then restarts.
Snapchat's vulnerability centres on its authentication measures. The app, which famously self-deletes messages and videos sent between friends, uses electronic tokens to prove the sender and receiver's identity.
A token is created each time the user makes a request to Snapchat, such as when they update their contact list or send a photo. This is called a ‘request token' and is based on the user's password and timestamp, among other things.
However, while this approach is designed to ease the flow of messages, Sanchez and Emeterio found that they were able to reuse a month-old token, meaning that spammers could potentially send hundreds of messages to numerous users, or even thousands to just one individual.
“That could let an attacker send spam to the 4.6 million leaked account list in less then one hour,” wrote Sanchez on the former, referring to Snapchat's data breach in January when 4.6 million mobile phone numbers were leaked.
“The other problem is that any attacker could just send all the snaps to one user only, as a Denial of Service attack. It will crash your phone and when it powers up, it still hangs until the attack is over.”
Sanchez demonstrated this by sending 1,000 messages in five seconds to the Snapchat account of LA Times writer Salvador Rodriguez. The attack saw the iPhone freeze “until it finally shut down and restarted itself.”
On a brighter note, the researchers said that the issue simply slowed down Android devices and didn't affect those who employed friends-only settings (providing, of course, the attacker wasn't on this list).
Snapchat has since banned Sanchez's two testing accounts, and blocked his IP, but has not fixed the issue. The firm, which has been subject to a bid from Facebook at the start of the year, was not available for comment.