Top five Snapchat Security Vulnerabilities
The best web app pen-testing course on the market!
How the App Learned Its Lessons
Snapchat is a popular mobile application that permits instant photo and movie messaging. The feature that distinguishes Snapchat from Facebook Messenger, Viber, WhatsApp, and other messaging applications is the makeshift nature of the recorded messages. The photos or movies of up to ten seconds sent to Snapchat friends are automatically deleted after they are received and viewed. At least, that is what Snapchat developers claimed.
Due to its joy use, the popularity of Snapchat is growing at a rapid rhythm among the junior generation of app consumers. Almost half of Snapchat users (45%) are in the 18-24 age group. More than one-third of U.S. teenagers (16-19) and more than half of Irish youngsters have installed and use Snapchat for daily communication with their friends.
However, from the beginning of its development in 2011, the app has gone through major cybersecurity challenges. In the end of 2013, Gibson Security published and later updated Snapchat Security Disclosure that contained details of the security vulnerabilities in Snapchat's architecture. The disclosure stressed that the indicated vulnerabilities could lead to a data breach.
A few months later, private credentials of Four.6 million U.S. Snapchat users, such as usernames and phone numbers, were made public on the Internet. The responsibility for this incident was taken by the website SnapchatDB.info. This attack was claimed to be a response to the previously identified weaknesses in the app's security.
Eventually, in 2014, the U.S. Federal Trade Commission announced a suit against the app that included six complaints regarding Snapchat's data security and privacy issues. The app was accused of misrepresenting its privacy policies and deceiving about its use of service, data collection, and security measures. In the end of 2014, the final order lodging charges against Snapchat were approved. After the suit, Snapchat made an agreement with the Federal Trade Commission and took reasonable measures for improving app's data security.
This article will discuss a list of Snapchat security vulnerabilities identified during the investigation conducted by the U.S. Federal Trade Commission (Section Two). Moreover, the article will examine security measures taken by Snapchat in order to promote consumers' privacy and regain the trust within its user community (Section Three). Eventually, a conclusion is drawn (Section Four).
Section Two. Top five Snapchat Security Vulnerabilities
Two.1 Saving photo and movie messages
Snapchat markets its service as an instant messaging application that sends self-deleting messages, the so-called Snaps. Such messages sent through the app should vanish forever after the time period set by a user expires. However, the Federal Trade Commission indicated that this claim was misleading because there were several technics that permitted accessing photo or movie messages indefinitely. For example, in order to save the received message, a user could use the browsing contraption for accessing saved messages. Before October 2013, the files of movie messages were stored outside the application's storage area. This feature permitted the users to connect the mobile device to a computer and, after browsing in it, to access and save the movie files. The information about this vulnerability became public in the end of 2012. It took almost a year for Snapchat to mitigate this security flaw. After becoming aware of the vulnerability, Snapchat began using encryption of movie files that were sent through the app.
Another method for saving photo and movie messages in Snapchat included connecting to API, the app's application programming interface. By using this mechanism, the third-party developers were capable to log into the app remotely without using the original Snapchat application. In 2013, a number of third-party applications were developed in relation to API vulnerability. The apps that enabled downloading and saving received pics were publicly available in app stores, such as iTunes App Store or Google Play. The Federal Trade Commission claims that, during that period, “on Google Play alone, ten of these applications have been downloaded as many as 1.7 million times.” Using the hacked API, one of the largest cybercrimes related to Snapchat was committed. The operators of the website SnapSaved.com posted online thirteen gigabytes of pictures stolen from Snapchat users, some of them of intimate nature. Eventually, alerted by this API vulnerability, Snapchat shut down the third-party application ecosystem in order to avoid similar information security breaches in the future.
Eventually, the method for saving photos and movies in Snapchat that requires the least effort is taking a screenshot of the message while it is displayed on the screen. In 2012-2013, Snapchat's privacy policy contained a claim that the user would be informed as soon as the screenshot of a user's Snap would be made. However, the mechanism of screenshot detection could be lightly circumvented in the iOS operating system. This method was widely publicized on the Internet. Presently, the potential Snapchat users are warned that “the Snap vanishes from the screen – unless they [the receivers] take a screenshot!” before downloading the app in iTunes App Store and Google Play.
The aforementioned message-saving mechanisms did not require sophisticated technical abilities and permitted installation of the implements without modifying Android or iOS operating systems. Thus, such implements were effortless accessible for a big number of users and made the data of Snapchat users insecure.
Two.Two Gathering geolocation information
Albeit today Snapchat warns its users about gathering their location information for the purpose of using app's location-based features, it hasn't been always like that. From the mid-2011 to the beginning of 2013, Snapchat's privacy policy claimed that the app “do[es] not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application.” However, the Federal Trade Commission announced that, from October two thousand twelve to February 2013, the Android version of the app gathered users' geolocation information and supplied the gathered data to the app's analytics tracking service provider. The information about users' location was collected by the means of Wi-Fi and cell-based signals.
Two.Trio Deceptive collection of information in “Find Friends” function
In order to create a user network in the app, Snapchat offers to invite contacts with a function called “Find Friends.” Presently, Snapchat friends can be added in four ways, namely, (1) by username, (Two) from user's address book, (Three) by Snapcode, or (Four) by GPS signal, identifying Snapchat users that are located nearby.
However, the function “Find Friends” previously faced major security issues. From two thousand eleven until February 2013, Snapchat's privacy policy implied that the only information collected by the app for the function “Find Friends” was the user's phone number, email address, and Facebook ID provided during the process of registration. The Federal Trade Commission made a claim that Snapchat gathered not only the aforementioned data, but also accessed the names and phone numbers of all contacts that were saved in the user's address book. Such unauthorized access was performed without informing the user and receiving user's consent.
After identifying “Find Friends” security vulnerabilities, Snapchat updated the function in several aspects. Presently, the app provides its users with an chance to skip appearing in the search list of “Find Friends.” Secondly, Snapchat's privacy policy warns its users that “because Snapchat is all about communicating with friends, we may—with your consent—collect information from your device's phonebook and photos.”
Two.Four Security problems in “Find Friends” function
The Federal Trade Commission has also pointed out that Snapchat failed to employ reasonable security measures to protect its users' private information. Several early Snapchat features were highlighted for permitting an unauthorized disclosure and misuse of users' individual information. For example, in the beginning of the app's functioning, individuals were not obliged to verify their telephone numbers during the process of registration. Thus, fraudulent users were able to create fictitious accounts by providing a phone number of other people via the registration. Numerous Snapchat customers were misled by such fraudulent incidents. The customer complaints submitted to the Federal Trade Commission contained cases when individuals sent photos and movies of private or intimate nature to their friends. However, the Snapchat accounts associated with those numbers belonged to fraudulent Snapchat users. Thus, the individual information was unintentionally disclosed to unknown people. Moreover, numerous app users complained that their own phone numbers were affiliated with fictitious Snapchat accounts that sent inappropriate or insulting messages.
Addressing this issue, in the end of 2012, Snapchat embarked using a short-message-service for verifying user's telephone number associated with a fresh Snapchat account. Presently, the app offers two options for verifying a fresh user during the process of registration, namely, sending a brief message or calling to the provided phone number.
Two.Five Phone freezing
Albeit the Federal Trade Commission did not address the flaw in Snapchat security architecture that enables the remote freezing of users' mobile phones, this problem was widely reported in various media channels. A defect in the app's authorization system permits hackers to use denial-of-service attacks that can crash users' smartphones by sending a large number of messages in a brief period of time. Receiving numerous messages at once causes freezing of the device and requires rebooting it. For Apple iPhone users, this security defect can cause more harm than for Android users. In Android operational system, such incident only slows down the work of the device but does not require the system to reboot. This technical issue has not been addressed by Snapchat yet.
Section Trio. Security Measures Taken by Snapchat
After the investigation conducted by the U.S. Federal Trade Commission that addressed the above-discussed security vulnerabilities, Snapchat entered into an agreement with the Commission. The app developers agreed to lodge charges for deceiving their consumers. Albeit the company did not receive a monetary fine, it was obliged to take certain security measures. According to the agreement, Snapchat had to update its privacy policy so that it would complement the spectacle of the app. Moreover, the protection of users' private information had to be fortified. In order to avoid future security issues, the updated privacy policy will be monitored by the security authorities for the following twenty years.
In addition to the discussed measures for eliminating Snapchat security vulnerabilities, such as securing phone number verification and forbidding third-party apps to access users' information, the company has taken supplementary security measures. In order to promote its fortified privacy and regain the trust within the Snapchat's user community, the company initiated reporting about its transparency. Snapchat's report, which is published every six months, indicates the governmental requests regarding users' account information, removal of content, and copyright infringement. Moreover, the report provides information on how many of those requests were honored.
Besides, in order to identify any possible bugs in app's architecture, Snapchat initiated a bug bounty program that encourages cybersecurity researchers to find and report any security vulnerabilities in Snapchat's applications. The app developers are particularly interested in four categories of security bugs, namely, (1) Server-Side Remote Code Execution, (Two) Significant Authentication Bypass, (Three) Unrestricted File System Access, and (Four) XSS or XSRF With Significant Security Influence. The cybersecurity researchers that report the aforementioned types of bugs are rewarded with up to $ Ten,000.
Ethical Hacking Training – Resources (InfoSec)
Moreover, Snapchat commenced using an optional two-factor authentication that helps to secure users' accounts. This measure is applied if a user would like to access the Snapchat account from another device. Such a login requires not only submitting an account password, but also using a code sent by a brief message to a phone linked to the user's account.
Section Four. Conclusion
Snapchat is an immensely popular instant messaging platform that permits its users to interact via talk and self-destructing movie and photo messages. However, since its creation in 2011, the app developers have gone through a series of incidents related to Snapchat's security vulnerabilities.
This article has discussed five major Snapchat security vulnerabilities as highlighted by the U.S. Federal Trade Commission and media channels. Albeit Snapchat faced security issues concerning saving movie and photo messages, gathering geolocation information, deceptive collection of information, unsecure features, and phone freezing, its developers have successfully implemented the necessary security corrections and provided app users with extra security and transparency measures.
Thus, the security lessons learn by Snapchat could be a excellent source of inspiration for future application developers. Moreover, such incidents can help to rethink current privacy norms and raise security awareness among mobile app consumers.
REFERENCES
- http://blog.snapchat.com/post/85132301440/our-agreement-with-the-ftc
- http://gibsonsec.org/snapchat/fulldisclosure/
- http://www.businessinsider.com/flaw-in-snapchat-lets-hackers-crash-your-phone-2014-2?IR=T
- http://www.connectsafely.org/wp-content/uploads/snapchat_guide.pdf
- http://www.digitaltrends.com/mobile/new-snapchat-hack-crash-phone/
- http://www.forbes.com/sites/anthonykosner/2014/01/01/4-6-million-snapchat-usernames-and-phone-numbers-captured-by-api-exploit/
- http://www.ignitesocialmedia.com/social-media-stats/snapchat-stats-marketers/
- http://www.independent.co.uk/life-style/gadgets-and-tech/snapchat-hack-46-million-users-affected-9033983.html
- http://www.statista.com/statistics/321076/leading-snapchat-market-teens/
- https://en.wikipedia.org/wiki/Snapchat
- https://hackerone.com/snapchat
- https://play.google.com/store/apps/details?id=com.snapchat.android
- https://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were
- https://www.ftc.gov/system/files/documents/cases/140508snapchatcmpt.pdf
- https://www.snapchat.com/transparency/
Co-Author
Rasa Juzenaite works as a project manager in an IT legal consultancy rock hard in Belgium. She has a Master degree in cultural studies with a concentrate on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.