Pocket DDOS
Attackers can flood a Snapchat user's account with thousands of messages in a matter of seconds, causing the app to freeze and the entire device to crash, Jaime Sanchez, a security consultant for Spanish telecommunications company Telefonica, wrote on a post on seguridadofensiva.com. Users may need to perform a hard reset on their iPhones to recover.

Sanchez demonstrated the weakness by sending 1,000 messages within five seconds to the Los Angeles Times reporter Salvador Rodriguez's Snapchat account, causing his device to shut down and restart, the Times reported. The attack won't crash Android devices, although they will become slow and the app will be impossible to use, Sanchez said.

Snapchat's privacy-conscious app lets users send photo and video messages which disappear shortly after the recipient has viewed them. When a user sends a message, the app generates a new token to verify the user. Unfortunately, it appears that old tokens can also be reused to send additional messages, Sanchez found.

Poor Security Reputation
Snapchat positions itself as the privacy-friendly messaging app, but has struggled with security issues recently. This latest finding just exacerbates the company's poor reputation among cyber-security researchers.

The company dismissed reports from research group Gibson Security last summer of a flaw within the app which could be used to expose user data. On New Year's Eve, another group successfully exploited the vulnerability and published usernames and phone numbers of almost five million users. Snapchat rolled out a fix to close the hole days later.

Sanchez did not bother contacting Snapchat and went straight to the Los Angeles Times because the startup doesn't care about security—or at least, about security researchers, he said. That's a troubling reputation for a company trying to attract users concerned about their online privacy.

Considering the service has a spam problem, the fact that spammers can just use the same token to send thousands of messages mean users may be dealing with even more spam in the days ahead. Attackers can also launch targeted attacks against specific users, temporarily rendering their mobile devices unusable.

A Fix is Coming?
The company told the Times it was curious about the weakness Sanchez discovered and would be investigating. However, Sanchez claimed on Twitter that Snapchat had blocked two accounts he was using for testing, as well as the IP address of the VPN he uses.

"That's their countermeasure," Sanchez said.

Secure messaging is an increasingly crowded space, and if Snapchat wants to retain its popularity, it needs to reverse its poor security reputation immediately. And the first step towards doing that is taking the researcher community seriously.