How I hacked Snapchat? (kinda)
Hello, friend.
You know well the efforts it takes to keep those streaks alive by sending snaps everyday, it’s a whole commitment! I was there, bored, trying to figure out something interesting to do and suddenly it crosses my mind — Snapchat Web. I mean who even thinks of using Snapchat on a BROWSER when you’ve got an app right there on your phone. But, that’s me.
I was trying to login to my Snapchat Web to just play around but a surprise alert pops on my phone. It’s a text message letting me know someone’s logged into my account. What’s odd? Well, along with the message, they slipped in a sneaky link to opt out of these alerts.
Hmm, that’s interesting. It’s just a 7 character long alpha-numeric string. I went ahead and clicked on the link and “You have been unsubscribed.”.
Wait a sec! What’s my phone number doing here? Is it supposed to be here? I don’t think so…
Anyone would have left it there assuming that okay, we are done here but my dissociative identity disorder kicked in with my Mr. Robot (if you haven’t watched it yet, you are missing out something great) identity coming into play. I fired up my Burp Suite (Burp Suite is a tool which allows you to intercept incoming and outgoing traffic from your web browser) to see what’s going on behind the scenes. I intercepted the request and got to know that it is sending a POST request.
POST /sms/set_preferences HTTP/2
Host: subscriptions.snapchat.com
Content-Length: 60
Content-Type: application/json
{"token": "9PphSeK","subscriptions":{"I":"UNSUBSCRIBE"}}Just to give a quick overview of the request.
- The request is using the POST method which is generally used to send data to the server to create or update a resource.
- The body of the request is in JSON format containing two parameters: token and subscriptions.
- The value of token is same as the one received in the text message.
- The parameter subscriptions is a JSON object holding a key I and the value UNSUBSCRIBE which instructs the server to perform the operation.
So, that alpha-numeric string that we saw earlier, it is 7 characters long, mixing up letters and numbers. Now, get this: If we had to calculate all the possible combinations with the given charset, we will end up with a whopping total of 62⁷ = 3,521,614,606,208 combinations. Why does that even matter though? OKAY! LET ME GIVE YOU SOME STATS.
Snapchat is a globally used social media platform with a total of 750 million(750,000,000) daily active users.
Alright, buckle up for our theory. With a valid token, we were able to view the registered phone number on Snapchat and got unsubscribed from alerts. There is a possibility! Now, imagine trying all combos to get every user’s number. Sounds cool right? We just need a tool. A tool that churns out every possible combination and fires POST requests nonstop. It’s brute force in action! But here’s the catch. Servers have defenses in place like Rate-Limiting mechanisms restricting the brute-force attempts.
Rate-limiting is a method that restricts the number of requests a user or system can make within a specific timeframe to prevent server overload or abuse.
I tried giving it a shot. No rate-limiting on the server? That’s unexpected.
“Control can sometimes be an illusion. But sometimes, you need illusion to gain control.” ~Elliot Alderson
I created a Python script and loaded it on my DigitalOcean Droplet because it had some pretty decent internet speed of 8 Gbps. Now, it’s show time!
Script fired! Within minutes, I started getting random phone numbers linked to Snapchat accounts. I could see money falling in front of my eyes. No! I wasn’t high at all :)
Snapchat has their own bug bounty program listed on HackerOne. I drafted a report with the Proof-Of-Concept video and reported the vulnerability. Within a few hours, they acknowledged the vulnerability and triaged my report.
Ah, that’s my dissociative identity disorder kicking in again. I guess this is the closest I’ll come to being Mr. Robot. Signing off.
Goodbye, friend.
