STE WILLIAMS

Snapchat token bug creates DoS attack for iOS, Android

Feb
10

4 reasons to outsource your DNS

A security consultant who works for Telefonica has turned up a bug in how Snapchat handles authentication tokens, which enables a denial-of-service attack against users’ phones.

It’s a simple enough problem, as Jaime Sánches explains http://www.seguridadofensiva.com/ here: the tokens should expire, but don’t. As a result, one token can be re-used on many machines, and with a little scripting, all those machines can be instructed to send pics.


“That could let an attacker send spam to the 4.6 million leaked account list in less then one hour”, Sánches writes. Or, in a DoS scenario, the machines could be instructed to hose a single user.

If the DoS is aimed at an iPhone, he says, it will freeze; Android phones don’t seem to lock up completely, but “it does slow their speed. It also makes it impossible to use the app until the attack has finished.”

Below is a YouTube video of the attack, demonstrated against an LA Times reporter’s smartphone.

Youtube Video

Sánches claims that rather than fixing the problem or contacting him, Snapchat has blocked the accounts he used to test the vulnerability. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/02/10/snapchat_token_bug_creates_dos_attack_for_ios_android/

Comments

Comments are closed.