Consumer, Consumer Threat Notices

Crash & Burn: Snapchat Security Flaws Strike Again

0
By on Feb 12, 2014

Snapchat, the photo-sharing app that lets users send and receive photos that disappear after being viewed, has come under its fair share of fire recently. In January, the company was criticized for ignoring a security flaw that allowed 4.6 million user names and phone numbers to be leaked to the public. This month, another security flaw has been discovered. This time, the flaw allows for hackers to flood a single Snapchat account with thousands of messages—freezing the device and forcing a reboot.

The type of attack described above is referred to as a denial-of-service attack. These types of attacks consist of efforts by cybercriminals to temporarily or indefinitely interrupt a service—in this case, that service is Snapchat.

When a user sends a message through Snapchat, a unique code made up of letters and numbers (called a token) is generated to verify their identity. These tokens are supposed to change for each sent message, however, researchers have discovered that hackers may be able to reuse old tokens to send massive amounts of new messages in a very short period of time. This flaw in the Snapchat security architecture could be exploited by hackers looking to send mass quantities of messages to numerous users or to launch an attack on a specific individual. It should be noted here that this attack can only be executed on users who have chosen to add the attacker to their Snapchat list of friends.

So, what do cybercriminals have to gain by putting a halt on your favorite selfie app, only to have you boot it back up again once you restart your phone? The jury’s still out on that one, as this attack hasn’t yet been practiced en masse. In fact, this vulnerability was only just discovered by a security researcher eager to demonstrate the potential weaknesses in the Snapchat app, not because of an actual reported attack.

After ignoring warnings from security professionals in December, it appears as though the photo-sharing app hasn’t earned itself the best reputation among experts in the field. Jaime Sanchez, the security researcher who discovered this latest weakness, says he did not contact Snapchat about the vulnerability because he claims the Los Angeles-based startup has no respect for the cyber security research community.

Whether or not cybercriminals do in fact have a desire to exploit this bug, Snapchat would be wise to take notice, and so would you. Here are some tips to help you avoid a denial-of-service attack on your device:

  • Only accept Snaps from users you know. To do this, go to the Settings menu in Snapchat and under “Who Can Send Me Snaps” make sure you select “My Friends.” This will help ensure that cybercriminals cannot flood your Snapchat inbox.
  • When signing up for Snapchat, do not auto-import your contacts. If you allow Snapchat to add all contacts in your address book or all of your Facebook friends, you may receive more messages than you’d hoped for. Avoid this by manually selecting the friends and family members with whom you’d like to exchange Snaps.
  • Be on the lookout for app updates. When a company releases a new version of their app, they usually do so for two reasons—to update app features and to fix vulnerabilities or bugs. Stay on top of your updates and you’ll stay ahead of security issues, most of the time.
  • Install comprehensive security software. McAfee LiveSafe™ service can protect your mobile and home devices from security vulnerabilities. Specifically, McAfee LiveSafe will check your apps and alert you to ones that could be accessing personal information without your knowledge.

To stay updated on the latest consumer security threats, follow @McAfeeConsumer on Twitter and Like us on Facebook.

Gary Davis

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>