Security Information for Safe Digital Utilization from Canon MJ What is ESET SnapHack, Cyber ​​Security Information Bureau?Risk of easy account hijacking

After demonstrating that anyone could easily hijack WhatsApp in 2020, the act of hacking someone else's account was suspended, albeit experimentally, from an ethical point of view. However, as people gradually regained their interaction, I thought it would be interesting to try the old method with people who are not secure, that is, friends. And when I tried to verify whether the popular apps could be hacked, I was shocked that it was still easy to do.

We decided to choose one of the top 10 free apps on Apple's App Store to see if they could hijack someone else's account. This experiment will not only emphasize how easy it can be, but it will also be an opportunity to show you how to protect your account.

Snapchat's main users are 18 to 24 years old (although many users are likely to be younger). Generation Z is a generation that grew up surrounded by digital products from a young age, and is generally considered to be "tech-savvy."

On the other hand, the younger generation may be seen as neglecting security. They don't have two-factor authentication (2FA) set up or share their passwords with friends. So, I tried to verify how security is handled in Snapchat and whether it can be easily hacked like WhatsApp.

This time, I used a technique called "shoulder surfing", which can be called "shoulder jack", in which you peek over your shoulder to steal confidential information such as passwords, PINs, and verification codes. This is a simple but effective technique that can be a big problem for social media and other accounts. Is this technique effective for hijacking Snapchat accounts?

results of the experiment

I didn't have a Snapchat account myself, but some of my friends did. I needed an account to verify it, so I asked my colleague for permission. Her friend, called "Ell," was willing to cooperate with the experiment to raise awareness of cyber countermeasures, provided that even if she succeeded in hacking, she wouldn't post anything on her account.

And she invited Ell to lunch to thank her for her help and went out with her friend. When she got to her seat, she sat next to Ell and had a conversation while operating each other's smartphones (hereinafter referred to as smartphones). I had Snapchat installed in advance, but I hadn't set up or logged in to my account. So she opened the app, opened the login screen and signed in. In the center of the screen, the attacker's favorite "Forgot password? Click here" link is displayed.

Figure 1: Snapchat login screen

This link is the first target an attacker attempting to hijack an account will try to explore potential security and intrusion methods. Click "Forgot your password?" To go to the screen where you can choose how to reset your password. I had the option of "phone or email", so when I chose the phone there, I was asked to enter my phone number.

キヤノンMJがお届けする安全なデジタル活用のためのセキュリティ情報 サイバーセキュリティ情報局 ESET SnapHackとは? 簡単にアカウントを乗っ取られる危険性あり

Figure 2: Screen for entering a phone number

At the table, Ell was still exchanging messages with her friends on her smartphone. I entered her phone number and waited next to her for the moment to "shoulderjack" her verification code. After a while, she received her verification code in a drop-down notification at the top of her iPhone screen, so I immediately snooped on the six-digit number and she remembered it.

At this point she thought she might notice, but she ignored her notice and continued to message her friends. In fact, when she later talked about the procedure for her experiments, she said she didn't even notice the notification from Snapchat. She said, "There are too many notifications and I'm buried."

When she entered the verification code on her smartphone, she was immediately prompted to set a new password and updated it with "Jake Is Awesome.1". Up to this stage, it was as easy as the previous WhatsApp account hijacking experiment, but Snapchat had another step needed to gain full control over the account.

She wasn't asked for a password (perhaps because she could create an account without an email or username), but a text message sent a verification code back to her phone number. Unexpectedly, Ell was still open on her phone (and she didn't care), so she was able to snoop on the code from the SMS message she was notified. She then used this code to log in to the app, giving her full control, and she locked El out of this account.

She promised she wouldn't post or contact her friends, but her proof-of-concept was successful. She knows her phone number, and she can easily complete it simply by looking at her smartphone over her shoulder. All Snapchat users need to be aware that their account is at risk. If someone nearby wants to hack, your account could easily be stolen and you could be asked for a ransom.

Taking a step further, these attacks may be possible to be carried out remotely. Use social engineering techniques to call the target and encourage them to give the verification code verbally. These methods are gradually increasing and should be used with caution.

This experiment would probably not have been possible if there had only been email authentication. Because I had to open the email I received and ask Ell to click the link in the message. She is unlikely that she will perform these two tasks. Snapchat's password recovery procedure displays the code sent via unencrypted SMS on your phone's notification screen, but it can easily be exploited by an attacker.

How do I recover my Snapchat account?

Recovering a stolen Snapchat account is unfortunately not easy. Everything depends on how the attacker made changes to the account. If the attacker just changed his password, he could recover his account by following the steps above.

However, if your phone number or email address has changed, or if two-factor authentication has been added, as with many social media, there are limited means of recovery. It's not easy to contact the company that runs the service to fix the tampering changes. If you think your account has been compromised, Snapchat has published some advice so you can refer to it.

How do I protect my Snapchat account?

In addition to using complex and unique passphrases (which should be set for all online accounts, not just Snapchat), enable two-factor authentication from the Snapchat settings screen. Also, other than Snapchat, you should always enable it for apps that can use two-factor authentication. In Snapchat, display the setting screen and check the two-factor authentication settings. Two-factor authentication via SMS is fine, but it's much better to use an authentication app like Microsoft Authenticator or Google Authenticator.

Figure 3: Two-factor authentication settings screen

Even if you don't have Snapchat, there are probably people around you who are using it. Encourage them to learn about "Snapchat hacks" and apply the above advice to all online accounts.

Shoulder surfing itself can be avoided by keeping people away from the screen, especially when entering sensitive information into apps and websites in public places. In addition, disabling notifications will prevent you from being peeped even when your phone is locked. Also, pay attention to SMS messages when using your smartphone or tablet in public. If so, the attack experiment on this Snapchat account would have failed.