Intent Leads To Unauthorised Video Call Initiation Leaking Surrounding Informations Of Victim

The Snapchat application allows users to communicate with photos, text messages, video and voice calls. In order to video call another user, the users must have added each other as friends. Either of the users can then call the other user from within the Snapchat app. In addition, the Snapchat Android application contains a number of Deep Links, designed to allow various functions to be started within the application via a hyperlink. In particular, when clicking a deep link in the form snapchat://call/start?source_type=NEW_CHAT\&calling_media=VIDEO\&conversation_id=[Conversation ID]\&is_group=false, the Snapchat Android application will initiate a call with the specified parameters. A malicious user can construct a deep link which when clicked by their victim, will force the victim's Snapchat Android application to initiate a video call with the attacker. In order to exploit this behavior, the malicious deep link must contain a conversation_id parameter corresponding to the attacker's conversation with the victim.