sábado, 8 de febrero de 2014

How to use Snapchat to DoS attack any iPhone


A vulnerability in the Snapchat app opens the iPhone up to denial-of-service attacks that can cause the device to freeze and crash. It has been published by the different news media:
- LA Times: Hackers can use Snapchat to disable iPhones, researcher says
- ALT1040: Snapchat y su falta de seguridad: expertos en seguridad españoles nos hablan de sus vulnerabilidades
- MacRoumors: Snapchat Vulnerability Can Lead to iPhone Denial-of-Service Attacks
- The Daily Dot: Huge Snapchat security flaw could let hackers shut down your iPhone
- TechCrunch: Newly Discovered Snapchat Weakness Could Allow Hackers To Crash Your Phone
TomsGuideNew Snapchat Flaw Crashes iPhones
TheHackerNewsSnapchat vulnerable to denial-of-service attack, allows remotely crash iPhone

THE PROBLEM

Well, the problem is easy to understand. Snapchat uses security tokens for authentication.Security tokens are used to prove one's identity electronically, in place of a password, to prove that the customer is who they claim to be, so they don't have to exchange the original password that may be captured by attackers.

A token is created any time you make a request to snapchat to update your contact list, add someone, send a snap etc. That's called a request token, and it's based on your password and on timestamp (and other things). The original idea of using request tokens is to force users to create one, and then discard it for next time. So, if you're an authenticated user, you'll be able to create another time and then make another request.

The problem is that tokens doesn't expire. I've been using for the attack one token create almost one month ago. So, I'm able to use a custom script I've created to send snaps to a list of users from several computers at the same time. That could let an attacker send spam to the 4.6 million leaked account list in less then one hour.

The other problem is that any attacker could just send all the snaps to one user only, as a Denial of Service attack. As you've seen on the video, on iPhone, it will crash you phone and when it powers up, it still hangs until the attack is over.

You can see the slides of our talk at Shmoocon for more information:



THE ATTACK

To conduct the proof of concept I only used two account I registered, from an iPhone and an Android phone. I haven't used it against any user. Well, I only used it to show the attack to the LA Time's reporter :)

I demonstrated how this works by launching a Snapchat denial-of-service attack on the LA repoter’s account. I sent his account 1,000 messages within five seconds, causing the device to freeze until he finally shut down and restarted itself:



Launching a denial-of-service attack on Android devices doesn’t cause those smartphones to crash, but it does slow their speed. It also makes it impossible to use the app until the attack has finished.

If you have friends-only settings, and the attacker is not in your friend list, it shouldn't affect you. On December we discovered another critical flaw on Snapchat. They were not using the request token, so you could remove it from the request when sending a Snap, and Snapchat's servers didn't checked it. This lead to a problem, because we could spoof snaps from any user account on the system. The problem was that we need to be friend of the victim, so we searched for an account that was friend of everyone... you know what account was that??? Yes, the official teamsnapchat account :)



But they solved it on January, so now you've to be a friend of the victim must have a the public setting active

HOW EXACTLY DOES THE DOS OVERLOAD CRASH THE PHONE ?

All push notifications systems work by having the mobile operating system (iOS in this case) issue an address which app publishers use to specify the delivery of the notification to the device. Apple Push Notification service transports and routes a notification from a given provider to a given device. A notification is a short message consisting of two major pieces of data: the device token and the payload. The device token is analogous to a phone number, and provides the required authentication for Apple to deliver a push message to the intended app.

Probably, Snapchat's application doesn't handle and control all these the request and updates you receive, because of a poor implementation. So when you're under this kind of attack, it might be crashing the device through the Push Notification System or something worst :)


DID SNAPCHAT SOLVED THIS SECURITY ISSUE ?

They haven't, you still can use the same token for several request, so the attack is still working. They told press they would contact the researcher to get more info to solve the problem. I didn't get any email. 

Do you know what's the security countermeasure they've chosen for solving it? They've banned my two testing accounts and the VPN's IP I used to launch the proof of concept attack and the research...

I've taken some screenshots of my banned accounts: