๐Ÿ”ฌ ATLAS SECURITY LAB

Lab Vulnerabilities

Token Reuse (No Expiry)
sc_token in localStorage never expires โ€” valid forever
Location Privacy Leak
GET /api/map/friends โ€” all friends' GPS coords exposed
IDOR on Snaps
GET /api/snaps/[snap_id] โ€” numeric IDs, easily enumerable
XSS in Story Caption
Story caption/title rendered as innerHTML
๐Ÿ˜Š
๐Ÿ˜Ž
๐Ÿคฉ
๐Ÿ”ฅ
โญ
Snapchat

ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„ ุฅู„ู‰ ุณู†ุงุจ ุดุงุช

ู‚ู… ุจุงู„ุฏุฑุฏุดุฉุŒ ูˆุฃุฎุฐ ุงู„ู„ู‚ุทุงุชุŒ ูˆุฅุฌุฑุงุก ู…ูƒุงู„ู…ุงุช ููŠุฏูŠูˆ ู…ุน ุฃุตุฏู‚ุงุฆูƒ ูˆุนุงุฆู„ุชูƒ.

ุฃูˆ ุชุงุจุน ุจุชู†ุฒูŠู„ ุชุทุจูŠู‚ ุณู†ุงุจ ุดุงุช ู„ู„ูˆูŠุจ

ู‡ู„ ุชุจุญุซ ุนู† ุชุทุจูŠู‚ุŸ ุงุญุตู„ ุนู„ูŠู‡ ู…ู† ู‡ู†ุง.

๐Ÿ”ฌ LAB
atlas_ghost / snap123  ยท  snap_victim / victim99
Token in localStorage โ€” no HttpOnly flag
๐Ÿ‘ป
๐Ÿ‘ค
๐Ÿ“ท
Tap and hold to record
or tap for photo
๐Ÿ“ธ
Hold for video
Chat

Stories

Snap Map

โš ๏ธ VULNERABILITY: GET /api/map/friends returns exact GPS coordinates for all friends โ€” no user consent required. Attacker can track victim's real-time location.
Spotlight