Security Flaws with Snapchat and Poke Exposed

Marketing photo from the Snapchat website
Marketing photo from the Snapchat website

The over-thirties have long warned teenagers to beware of what they post on the internet – it tends to stay there and become an embarrassment in the future. But rather than ignore the over-thirties, the teenagers listened and turned to SnapChat and Poke. Snapchat is a smartphone app; Poke is a more recent copy by Facebook. The purpose of both is to allow users to send embarrassing, drunk, rude photos or videos to friends – but have them disappear quickly.

The idea is relatively simple: the photos or videos are quickly removed from the receiving device and the provider’s servers. The execution, as ever when ‘security’ is involved, is not so simple. Graham Cluley from Sophos warned back in November, “It sounds like a neat solution, if the picture is only visible for 10 seconds... But the truth is that anyone can take a screenshot of their device (if they are nimble fingered enough) and create their own copy of the image.”

Since Cluley’s early warning, further problems have come to light. A week ago BuzzFeed explained how users can easily keep videos that are sent to them – perhaps that video from the XGF showing what has been lost. The secret is not to open the video, but to connect the phone to a computer and browse to the file with a phone browser. “Copy the videos to your computer,” says BuzzFeed. “Critically, Snapchat's videos remain in this folder even after they're viewed; Poke videos appear to be deleted as soon as they're viewed.”

The danger is clear. Videos claimed to be safe and deleted may not have been – and may yet be passed around the classroom for all, friend or foe, to see.

Now a new flaw in Snapchat has come to light. The Sydney Morning Herald reports today, “Geoff Stearns, the creator of SWFObject, a popular open-source JavaScript file for embedding Adobe Flash content on web pages, discovered the email flaw and reported it to Snapchat on December 14.” After two weeks with no reply, he went public.

If you ask for a password reset, Snapchat will send the new password to your email account. The problem is that it displays that email account on the screen. So, if an attacker can guess or knows a target’s username, he can simply attempt to log in to Snapchat with the username and any made-up password, and Snapchat will helpfully display the user’s email address.

This flaw is now fixed. Stearns’ Twitter comment was spotted and forwarded to Snapchat’s CEO Evan Spiegel. “Update:” wrote Stearns. “They just fixed it. Thanks, snapchat!” But the moral is clear: security is never as easy or as straightforward as is sometimes claimed.

What’s Hot on Infosecurity Magazine?