Snapchat Denial-of-Service Attack Crashes iPhones

Senior editor, security and privacy
Updated

UPDATED 1:45 pm ET Feb. 8 with news that Snapchat had apparently blocked the researchers' accounts.

A flaw in the way Snapchat handles authentication tokens makes the image-messaging service vulnerable to a denial-of-service attack that can crash iPhones, two Spanish researchers say.

The researchers, Jaime Sanchez and Pablo San Emeterio, first detailed the flaw in a Spanish-language blog posting Jan. 12, then presented their findings at the ShmooCon security conference in Washington, D.C. on Jan. 18.

MORE: Best Smartphones 2014

But it was not until Sanchez spoke to reporter Salvador Rodriguez of the Los Angeles Times for a story published yesterday (Feb. 7) that the flaw got widespread attention.

Sanchez and San Emeterio found it was possible to copy the unique authentication token of a single Snapchat message and apply it to other messages, even those originating from other Snapchat accounts.

Flooding an iPhone with an overwhelming number of Snapchat messages that all bore the same authentication token would make the targeted iPhone seize up or crash, requiring a "hard" reset that rebooted the phone, Sanchez told Rodriguez.

Rodriguez posted a video of an iPhone 5s receiving what appear to be dozens of messages at once from the same sender, and then becoming unresponsive.

"Sanchez demonstrated how this works by launching a Snapchat denial-of-service attack on my account," Rodriguez wrote. "He sent my account 1,000 messages within five seconds, causing my device to freeze until it finally shut down and restarted itself."

The same attack on an Android phone slows, but does not crash, the device, Sanchez said.

Sanchez did not suggest how Snapchat might fix the problem. He told Rodriguez he did not plan to inform Snapchat of the flaw, citing what some have perceived as a hostile Snapchat attitude toward outside security researchers.

In the past six weeks, several security researchers have said they had informed Snapchat of flaws they had found in its smartphone apps, only to be ignored.

Two Australian researchers posted their findings online in late December, after having allegedly waited four months for a reponse from Snapchat.

A group of mischievous hackers quickly exploited those flaws to "scrape" Snapchat's servers and dump usernames and telephone numbers of 4.6 million North American Snapchat users online. 

Other researchers from Texas and Georgia complained of similar rebuffs from Snapchat, even as the company made partly unsuccessful efforts to fix the flaws the researchers pointed out.

"They doesn't care about security and make it easy having fun," Sanchez tweeted about the company following his ShmooCon presentation.

Snapchat told the L.A. Times it was not aware of the issue Sanchez and San Emeterio discovered, and invited the researchers to contact the company.

UPDATE: Via Twitter, Sanchez told Tom's Guide today (Feb. 8) that Snapchat had blocked him and San Emeterio from using the service.

"They banned our user accounts and the IP addresses involved in the research," Sanchez said.

In their presentation and posting, the researchers provided enough documentation for other skilled hackers to be able to replicate their findings.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.