This flaw, explained Jaime Sanchez on Seguridad Ofensiva, "is easy to understand." It involves Snapchat's use of tokens. A request token is created, based partly on the user's password and the time, for every interaction with Snapchat. "The problem," he writes, "is that tokens doesn't expire. I've been using for the attack one token create almost one month ago. So, I'm able to use a custom script I've created to send snaps to a list of users from several computers at the same time."
One result is described by the LA Times: "Sanchez demonstrated how this works by launching a Snapchat denial-of-service attack on my account. He sent my account 1,000 messages within five seconds, causing my device to freeze until it finally shut down and restarted itself." Although it restarts, the user cannot regain control of the iPhone while the attack continues.
"To conduct the proof of concept," noted Sanchez, "I only used two account I registered, from an iPhone and an Android phone. I haven't used it against any user. Well, I only used it to show the attack to the LA Time's reporter :)" The same attack against Android, he adds, "doesn’t cause those smartphones to crash, but it does slow their speed. It also makes it impossible to use the app until the attack has finished."
Although delivering a DoS attack against an individual phone might appear to have limited value to a cybercriminal (beyond prank or revenge attacks), Sanchez does point to a more serious issue. "I'm able to use a custom script I've created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour."
Sanchez told the LA Times that he hadn't contacted Snapchat before disclosing his findings "because he claims the Los Angeles startup has no respect for the cyber security research community. He says Snapchat earned that reputation by ignoring advice in August and on Christmas Eve from Gibson Security, a security group that predicted a flaw within the app could be used to expose user data. On New Year’s Eve, another group exploited that vulnerability and exposed the user names and phone numbers of nearly 5 million Snapchat users."
When the newspaper contacted Snapchat, a spokeswoman replied that the company was not aware of the issue. “We are interested in learning more and can be contacted at security@snapchat.com," she wrote in an email reply. Snapchat has not, however, contacted Sanchez – at least, not directly.
The problem has not been fixed "so the attack is still working... I didn't get any email," he added to his blog. The only visible response by Snapchat so far, he writes: "They've banned my two testing accounts and the VPN's IP I used to launch the proof of concept attack and the research..."