Nowadays,
when there is a huge variety of all types of messengers and related services,
there is one specific application that still stands out from the rest. It is
called Snapchat, which has initially become available in 2011 and immediately
grew into extremely popular application among adolescents and teenagers. Just
in case you don’t know what Snapchat is all about and what’s its key difference
form all other similar products on the market, here are some details. The main
zest of this tiny messenger is that it not only allows its users sending each
other text, photo and video content, but also gives permission to a sender to
‘auto-destroy’ the sent item both from a recipient’s device and the application
servers.
However,
an independent developer named Jamie Sanchez has recently discovered a
significant flaw in the famous messenger, which can be considered as a
potential threat to all the iOS users. Sanchez claims that due to a breach in
the application’s security framework, malefactors can easily organize
DDoS-attacks, which will result either in iPhone’s malfunction (up to shutting
down) or will allow carrying out a massive spam mail-out from the hacked
device.
Technically,
the vulnerability itself lies in the so-called authorization tokens
(authToken), which are used for account’s authorization. According to Sanchez,
these tokens have no validity restrictions, and each time when a user performs
an action, Snapchat creates new ones. And since the tokens do not expire, the
can be used and re-used from any other device simultaneously.
It
is reported that in order to prove the truth of his words, Sanchez has
demonstrated the flaw to the LA Times journalist, by sending him about thousand
messages within only 5 seconds. It is needless to say that reporter’s iPhone
could not manage such a load, and performed reboot. Sanchez has also confessed
that Snapchat blocked his test accounts, through which he had discovered the
vulnerability. The developer claims that the Snapchat administration does not
respect efforts by independent security researchers. Sanchez also reminded
about the previously presented report carried out by the Australia specialists
(Gibson Security), saying that one can easily pull out any information from Snapchat’s
API, which may include such sensitive data as user names, personal information,
and more, regardless of user’s privacy settings. It is known that Gibson
Security has officially informed Snapchat about this flaw; yet, the popular
messenger’s administration ignored the researchers statement.
No comments:
Post a Comment