A new report from in the latest Snapchat security snafu indicates that the iOS version of the popular messaging app is susceptible to denial-of-service attacks that can freeze or crash a user’s phone.
This was revealed by Spanish security researcher Jaime Sanchez who detailed the flaw in a blog post, explaining that he was able to send 1,000 messages in five seconds to a reporter’s iPhone, which caused the device to freeze, requiring a reboot.
According to Sanchez, the Snapchat app uses tokens to authenticate users rather than passwords. “A token is created any time you make a request to Snapchat to update your contact list, add someone, send a snap etc.” he wrote.
“The problem is that tokens doesn’t expire. I’ve been using for the attack one token create[d] almost one month ago. So, I’m able to use a custom script I’ve created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour.”
The attacker could target one user, sending all the snaps to one device in a denial of service (DoS) attack. The flaw is a product of Snapchat’s poor control over push notification requests.
Apple iPhone owners appear to be at highest risk. Android devices, however, are not likely to crash, but will run at noticeably slower speeds.
Those Snapchatters who have the app set to friends-only should be spared, as long as the attacker is not a member of their friends list.