Background

A few friends and I rocked the Blackberry Curve back in 2009. A user could attach up to ten recipients to a Curve text message. A user could also hit the resend option while a text message was sending, which would effectively send it twice. My friends and I, being devious, learned that you could attach the same person ten times to a text message, which would obviously send the same message to them ten times. Therefore, given a bit of patience, we could effectively â€œtext bombâ€ our friends by hitting â€œresendâ€ over and over, sending them hundreds of identical text messages. On newer phones, this was a minor nuisance; the Curve could handle all of those incoming text messages. However, older phones couldnâ€™t handle this barrage, so the text bomb would incapacitate the phone for however long it took to process and receive all of those texts.

At the time, I had no idea how to program anything, so I had no problem doing that sort of manual labor just to annoy a friend.

Last night, an acquaintance asked me to help her send a lot of Snaps at once. She wanted to become the top Snapchat friend of a friend of hers, and she cited my computer science and programming knowledge as to why she was asking me. I immediately abstracted this problem as in the same category as the â€œtext bombâ€ â€” or really, a denial of service attack â€” and knew exactly what to do. [1]

Snapchat API

Snapchat doesnâ€™t have a public API, but people have reverse-engineered their private API. There are a ton of Github repositories containing working API code; I used snapchat-python.

The script

The snapchat-python repo contains concise and relevant example code, making my hunt a lot easier. All I wanted to do was to wrap the upload and send code in a for loop. Hereâ€™s what I did:

s = Snapchat()
for i in range(0, 100):


This code should output True each time it successfully sends a Snap. I was able to fire off a Snap roughly once per second.

Did it work? Well, I logged back into my own account and started doing this to a couple of my friends that are fine with pranking. [2] One of them sent me this screenshot.

What happens to the recipient?

This Snapchat bomb truly incapacitates someoneâ€™s phone, mostly because of all the notifications that the phone had to process and output. Recipients simply canâ€™t use their phones while still receiving Snaps.

Experimenting

First, I was curious if Snapchat supported GIFs. I loaded up a GIF and fired but one off to a friend. He told me he only saw the first frame of the GIF. GIFs are a no-go.

I was then curious if there was a bottleneck in my code from always re-uploading the image to Snapchat. What if I removed the upload API call out from the for loop? Well, this doesnâ€™t work either; you need to upload a fresh image every time you want to send a Snap. The code still outputs True 100 times, but it only sends the Snap once.

This behavior is absolutely against Snapchatâ€™s terms of use. According to the Prohibited Activities section, I agree that I will not:

• Use the Services in any manner that could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying the Services

• Send any unsolicited or unauthorized advertising, spam, solicitations or promotional materials

and

• Engage in any harassing, intimidating, predatory or stalking conduct

Reflection

It was laughably easy to use the private Snapchat API to game the friend ranking system and to annoy my friends. Snapchat can avoid this behavior by using rate limiting on specific sender-recipient relationships. I should be curbed from spamming a specific friend, but if I want to send a single Snap to 100 different friends, I shouldnâ€™t hit any sort of limit.

It is important to implement a rate limiting scheme that will never have false positives; someone sending Snaps manually should never encounter this limit. Perhaps a burst algorithm would be best, one that detects when a user has sent several Snaps at a rate too fast to be possible manually.

A more serious consequence of Snapchatâ€™s private API being so easy to access programmatically is that it is simple to impersonate somebody else over Snapchat. Iâ€™ve heard of people using Snapchat as a way to affirm that someone theyâ€™ve been talking to on some sort of Internet dating website (think Plenty of Fish or Tinder) is real, not frauding. These Snapchat libraries permit easy frauding, so the mere existence of a Snapchat should not be interpreted in this way.

Footnotes

[1] How did I actually Snapchat bomb her friend from her account? She gave me her username and changed her password to something benign. This does not violate Snapchatâ€™s terms of use.

[2] In case anyone was curious, I was sending image memes. A joke is funnier the 100th time itâ€™s told, right?