Thursday, January 03, 2013

Facebook Poke vs Snapchat - Security Comparison

Facebook Poke vs Snapchat - on security.
@adamcaudill got me started with his tweet + blog post about some of the lack of security in Snapchat, and I just had to take a look. After hammering Snapchat for a while, I thought I could do a security comparison to Facebook Poke, their own app that does pretty much the same thing as Snapchat. If you want to see a feature comparison, take a look here at techcrunch.

While Adam does the crypto + API stuff - the inner workings of the Snapchat app - I'm more interested in the visible password stuff. And before we start talking about financial muscles, size of organisation etc between Facebook & Snapchat.... It doesn't take a giant to make good security. (Rather on the contrary I would say.)

I think you are better & safer off with Facebook Poke, compared to Snapchat, at least for the time being. Read more to understand why:

Feel free to copy, print, mangle, reuse, distribute etc.

Reveals if password is incorrect

In a security environment I'd prefer "Username or password entered incorrectly". Makes it just a bit harder for an attacker, based on how usernames are constructed. For large-scale consumer services like these I can easily understand from a usability perspective that Facebook & Snapchat do what they do here.

Incorrect info on password reset in FAQ
Seriously, I hate finding inconsistencies between FAQs, policies and actual implementations of written policies. I've written about it before, and I will do it again. It confuses end users. It makes sysadmins cry. It makes auditors use red pencils. It makes management spend more money than needed to fix stupid things (to satisfy stupid auditors). Keep your implementations consistent with your documentation people!
(Snapchat says in their FAQ they will e-mail you your password if you forget it. Good thing they don't do that...)

2 Factor authentication available
Facebook has a huge advantage over Snapchat, offering optional 2 factor authentication for Poke. If enabled for a users Facebook account, it will automatically also apply for the Poke app. After installing Poke and entering my Facebook username and password, I received an SMS with my 6-digit OTP from Facebook. Entered it into the password field of Poke, and I'm in. This prevents any attacker who can guess or otherwise get access to your Facebook password from gaining access to Poke (or Facebook account).

Minimum password length
Length 4 or length 6 - doesn't really matter. If password hashes, in most formats get stolen, leaked or lost, they can be easily cracked. What we do know is that many users - perhaps 50% - will go for lowest possible requirement. That makes things worse for Snapchat - users may very well choose their smartphone 4-digit PIN as their "password" for Snapchat. Password reuse = Dangerous!

Password complexity requirements
Because of no requirements for this, people will use lowercase names or words, digits only or lowercase names/words + digits at the end as their passwords. Easily guessed in online attacks - easily cracked in offline attacks.

Password reset reveals users e-mail address
Yesterday, Jan 2, 2013, using Snapchat for Android:


Today, Jan 3, 2013, using Snapchat for Android:


Thank you "tensafefrogs" for getting it fixed, and Hackernews & InfoSecurity Magazine for telling me about it!
However there is no "I have forgotten my password" button in the Facebook Poke application, you will have to go to Facebook.com to reset your account password.

Multiple password reset options
Facebook offers a range of options for resetting a users password. Based on the users configuration, including the use of 2 factor authentication, this can be very good security-wise, while maintaining a decent level of usability. Snapchat, as the up-and-coming competitor only offers password reset by sending the user an e-mail with a password reset link (more on this later). My guess is Snapchat will have to change as soon as account compromise becomes a serious problem for them - and their users.

Password reset link uses HTTPS
Failure for Snapchat, while Facebook does it correctly by using HTTPS.
Password reset mail from Snapchat. No HTTPS.
SSL website support
Facebook uses it by default now, as far as I know, and it is available to all. When I tried to use Qualys SSL LABS to scan www.snapchat.com, the answer is simple; there is none, or it is seriously misconfigured. Have to confess though, I haven't tcpdump'ed the app traffic yet, to analyze the servers it talks to.

Web account administration
You can administrate your account including various settings on Facebooks web page, and partially in their various apps. No administration available inside the Poke app, just an option to log off and some minor details:

Snapchat has no online web account administration. All administration is done inside the app, and it doesn't have much to offer:
Snapchat settings. Not much to see here, move along people.
So tell me Snapchat; How/where do I delete my account?

Password reset link can be reused
Yay. THIS is bad. Not only does the reset link come without an https link, but one reset link can be reused. I've asked for a total of 3 password resets, I've got a new e-mail each time (with unique urls in them, but I've done all my password resets using the first link I got. I'm not going to do all the details on how this can be exploited, hoping for Snapchat to do something before all hell breaks loose.

As far as I know, Facebook reset links cannot be reused.

Password reset link expires
For Snapchat I cannot say that the links won't die after some time, but at the moment they work perfectly, even after many many hours. All of them, in random order. Again and again.


Game on hackers, this seems pretty easy to achieve!
Account change info by mail
Sometimes a picture really says a lot:


In short: Facebook will let me know if somebody tries to poke around with my account, and/or successfully manages to log on to Facebook and/or Poke without my consent. Snapchat does nothing.

Password max length > 15 support
Facebook supports passwords longer than 15 characters, on all platforms I've tested. Snapchat allowed me to set a password restricted to maximum 15 characters when I registered for an account using the app (on Android). Then I discovered that I could set a 60 character password through the password reset option, tried to log on using the app but *NO*, app password input field is length 15. Another password reset, and I was back at <= 15 somewhere.

Snapchat: please read section "Incorrect info on password reset in FAQ" again.

Am I missing something?
Most probably, yes. The above is the results from a few hours. If I had the time, money and interest to go further, I would have done so.

Conclusion

I think you are better & safer off with Facebook Poke, compared to Snapchat. Almost everything I've seen about Snapchat is a perfect example of how NOT to do product development, implementation & launch from a technical security perspective. On the other hand I guess investors are willing to walk over dead bodies to get a load of shares once they go public with Snapchat. Oh well, none of my business.

I wouldn't be surprised if Snapchat has a better ability to respond & fix faster than Facebook. Good luck guys!

4 comments:

  1. Is there any chat service you can recommend?

    ReplyDelete
  2. Well, the obvious recommendation is to meet live in person, to talk together. Experience as well as research shows it can give amazing results. ;-)

    If you still want a chat service I recommend using something that comes from a known vendor, a service that is used by many, have been around for some time (1-2 years at least), provides information on how your security & privacy is handled and has been the subject of public examination into its security. :-)

    (I won't be any more specific than that.)

    ReplyDelete
  3. Snapchat will tell you if the recipient of a message from you makes a screenshot of it. However it seems as if making screenshots can be prevented, at least on Android ICS and up:
    http://stackoverflow.com/questions/9822076/how-do-i-prevent-android-taking-a-screenshot-when-my-app-goes-to-the-background

    ReplyDelete
  4. Yes it seems like you can prevent screenshots with a FLAG_SECURE param set in the the app. As far as I can tell it's been around since before ICS but manufacturer implementation have not been the best.

    This flag should prevent both OS screenshot for historiy task list and general screenshot.

    http://developer.android.com/reference/android/view/Display.html#FLAG_SECURE

    However, it doesn't prevent users from taking screenshots with phone connected to a pc and USB debugging enabled.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.