Vulnerabilities

Top 5 snapchat security vulnerabilities

Daniel Dimov
October 1, 2015 by
Daniel Dimov

 How the app learned its lessons

Snapchat is a popular mobile application that allows instant photo and video messaging. The feature that distinguishes Snapchat from Facebook Messenger, Viber, WhatsApp, and other messaging applications is the temporary nature of the recorded messages. The photos or videos of up to 10 seconds sent to Snapchat friends are automatically deleted after they are received and viewed. At least, that is what Snapchat developers claimed.

Due to its fun use, the popularity of Snapchat is growing at a rapid pace among the younger generation of app consumers. Almost half of Snapchat users (45%) are in the 18-24 age group. More than one-third of U.S. teens (16-19) and more than half of Irish youngsters have installed and use Snapchat for daily communication with their friends.

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

However, from the beginning of its development in 2011, the app has gone through major cybersecurity challenges. In the end of 2013, Gibson Security published and later updated Snapchat Security Disclosure that contained details of the security vulnerabilities in Snapchat's architecture. The disclosure stressed that the indicated vulnerabilities could lead to a data breach.

A few months later, personal credentials of 4.6 million U.S. Snapchat users, such as usernames and phone numbers, were made public on the Internet. The responsibility for this incident was taken by the website SnapchatDB.info. This attack was claimed to be a response to the previously identified weaknesses in the app's security.

Finally, in 2014, the U.S. Federal Trade Commission announced a suit against the app that included six complaints regarding Snapchat's data security and privacy issues. The app was accused of misrepresenting its privacy policies and deceiving about its use of service, data collection, and security measures. In the end of 2014, the final order settling charges against Snapchat were approved. After the suit, Snapchat made an agreement with the Federal Trade Commission and took reasonable measures for improving app's data security.

This article will discuss a list of Snapchat security vulnerabilities identified during the investigation conducted by the U.S. Federal Trade Commission (Section 2). Moreover, the article will examine security measures taken by Snapchat in order to promote consumers' privacy and regain the trust within its user community (Section 3). Finally, a conclusion is drawn (Section 4).

Top 5 Snapchat security vulnerabilities

Saving photo and video messages

Snapchat markets its service as an instant messaging application that sends self-deleting messages, the so-called Snaps. Such messages sent through the app should disappear forever after the time period set by a user expires. However, the Federal Trade Commission indicated that this claim was misleading because there were several techniques that allowed accessing photo or video messages indefinitely. For example, in order to save the received message, a user could use the browsing tool for accessing saved messages. Before October 2013, the files of video messages were stored outside the application's storage area. This feature allowed the users to connect the mobile device to a computer and, after browsing in it, to access and save the video files. The information about this vulnerability became public in the end of 2012. It took almost a year for Snapchat to mitigate this security flaw. After becoming aware of the vulnerability, Snapchat began using encryption of video files that were sent through the app.

Another method for saving photo and video messages in Snapchat included connecting to API, the app's application programming interface. By using this technique, the third-party developers were capable to log into the app remotely without using the original Snapchat application. In 2013, a number of third-party applications were developed in relation to API vulnerability. The apps that enabled downloading and saving received images were publicly available in app stores, such as iTunes App Store or Google Play. The Federal Trade Commission claims that, during that period, "on Google Play alone, ten of these applications have been downloaded as many as 1.7 million times." Using the hacked API, one of the biggest cybercrimes related to Snapchat was committed. The operators of the website SnapSaved.com posted online 13 gigabytes of images stolen from Snapchat users, some of them of intimate nature. Eventually, alerted by this API vulnerability, Snapchat shut down the third-party application ecosystem in order to avoid similar information security breaches in the future.

Finally, the method for saving photos and videos in Snapchat that requires the least effort is taking a screenshot of the message while it is displayed on the screen. In 2012-2013, Snapchat's privacy policy contained a claim that the user would be informed as soon as the screenshot of a user's Snap would be made. However, the mechanism of screenshot detection could be easily circumvented in the iOS operating system. This method was widely publicized on the Internet. Currently, the potential Snapchat users are warned that "the Snap disappears from the screen – unless they [the receivers] take a screenshot!" before downloading the app in iTunes App Store and Google Play.

The aforementioned message-saving techniques did not require sophisticated technical skills and allowed installation of the tools without modifying Android or iOS operating systems. Thus, such tools were easy accessible for a big number of users and made the data of Snapchat users insecure.

Gathering geolocation information

Although today Snapchat warns its users about gathering their location information for the purpose of using app's location-based features, it hasn't been always like that. From the mid-2011 to the beginning of 2013, Snapchat's privacy policy claimed that the app "do[es] not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application." However, the Federal Trade Commission declared that, from October 2012 to February 2013, the Android version of the app gathered users' geolocation information and supplied the gathered data to the app's analytics tracking service provider. The information about users' location was collected by the means of Wi-Fi and cell-based signals.

Deceptive collection of information in "Find Friends" function

In order to create a user network in the app, Snapchat offers to invite contacts with a function called "Find Friends." Currently, Snapchat friends can be added in four ways, namely, (1) by username, (2) from user's address book, (3) by Snapcode, or (4) by GPS signal, identifying Snapchat users that are located nearby.

However, the function "Find Friends" previously faced major security issues. From 2011 until February 2013, Snapchat's privacy policy implied that the only information collected by the app for the function "Find Friends" was the user's phone number, email address, and Facebook ID provided during the process of registration. The Federal Trade Commission made a claim that Snapchat gathered not only the aforementioned data, but also accessed the names and phone numbers of all contacts that were saved in the user's address book. Such unauthorized access was performed without informing the user and receiving user's consent.

After identifying "Find Friends" security vulnerabilities, Snapchat updated the function in several aspects. Currently, the app provides its users with an opportunity to skip appearing in the search list of "Find Friends." Secondly, Snapchat's privacy policy warns its users that "because Snapchat is all about communicating with friends, we may—with your consent—collect information from your device's phonebook and photos."

Security problems in "Find Friends" function

The Federal Trade Commission has also pointed out that Snapchat failed to employ reasonable security measures to protect its users' personal information. Several early Snapchat features were highlighted for allowing an unauthorized disclosure and misuse of users' personal information. For example, in the beginning of the app's functioning, individuals were not obliged to verify their telephone numbers during the process of registration. Thus, fraudulent users were able to create fictitious accounts by providing a phone number of other people throughout the registration. Numerous Snapchat customers were misled by such fraudulent incidents. The customer complaints submitted to the Federal Trade Commission contained cases when individuals sent photos and videos of personal or intimate nature to their friends. However, the Snapchat accounts associated with those numbers belonged to fraudulent Snapchat users. Thus, the personal information was unintentionally disclosed to unknown people. Moreover, numerous app users complained that their own phone numbers were affiliated with fictitious Snapchat accounts that sent inappropriate or insulting messages.

Addressing this issue, in the end of 2012, Snapchat started using a short-message-service for verifying user's telephone number associated with a new Snapchat account. Currently, the app offers two options for verifying a new user during the process of registration, namely, sending a short message or calling to the provided phone number.

Phone freezing

Although the Federal Trade Commission did not address the flaw in Snapchat security architecture that enables the remote freezing of users' mobile phones, this problem was widely reported in various media channels. A defect in the app's authorization system allows hackers to use denial-of-service attacks that can crash users' smartphones by sending a large number of messages in a short period of time. Receiving multiple messages at once causes freezing of the device and requires rebooting it. For Apple iPhone users, this security defect can cause more harm than for Android users. In Android operational system, such incident only slows down the work of the device but does not require the system to reboot. This technical issue has not been addressed by Snapchat yet.

Security measures taken by Snapchat

After the investigation conducted by the U.S. Federal Trade Commission that addressed the above-discussed security vulnerabilities, Snapchat entered into an agreement with the Commission. The app developers agreed to settle charges for deceiving their consumers. Although the company did not receive a monetary fine, it was obliged to take certain security measures. According to the agreement, Snapchat had to update its privacy policy so that it would complement the performance of the app. Moreover, the protection of users' personal information had to be fortified. In order to avoid future security issues, the updated privacy policy will be monitored by the security authorities for the following 20 years.

In addition to the discussed measures for eliminating Snapchat security vulnerabilities, such as securing phone number verification and forbidding third-party apps to access users' information, the company has taken supplementary security measures. In order to promote its fortified privacy and regain the trust within the Snapchat's user community, the company initiated reporting about its transparency. Snapchat's report, which is published every six months, indicates the governmental requests regarding users' account information, removal of content, and copyright infringement. Moreover, the report provides information on how many of those requests were honored.

Besides, in order to identify any possible bugs in app's architecture, Snapchat initiated a bug bounty program that encourages cybersecurity researchers to find and report any security vulnerabilities in Snapchat's applications. The app developers are particularly interested in four categories of security bugs, namely, (1) Server-Side Remote Code Execution, (2) Significant Authentication Bypass, (3) Unrestricted File System Access, and (4) XSS or XSRF With Significant Security Impact. The cybersecurity researchers that report the aforementioned types of bugs are rewarded with up to $ 10,000.

Moreover, Snapchat started using an optional two-factor authentication that helps to secure users' accounts. This measure is applied if a user would like to access the Snapchat account from another device. Such a login requires not only submitting an account password, but also using a code sent by a short message to a phone linked to the user's account.

Conclusion

Snapchat is an immensely popular instant messaging platform that allows its users to interact via chat and self-destructing video and photo messages. However, since its creation in 2011, the app developers have gone through a series of incidents related to Snapchat's security vulnerabilities.

This article has discussed five major Snapchat security vulnerabilities as highlighted by the U.S. Federal Trade Commission and media channels. Although Snapchat faced security issues concerning saving video and photo messages, gathering geolocation information, deceptive collection of information, unsecure features, and phone freezing, its developers have successfully implemented the necessary security corrections and provided app users with additional security and transparency measures.

Thus, the security lessons learn by Snapchat could be a great source of inspiration for future application developers. Moreover, such incidents can help to rethink current privacy norms and raise security awareness among mobile app consumers.

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Sources

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.