Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header
Medium
S
Snapchat
Submitted None
Team Summary
Official summary from Snapchat
An attacker can bypass the rate limiting in place at `app.snapchat.com` by setting the `X-Forwarded-For` header to `127.0.0.1` in POST requests to `app.snapchat.com/stories_everywhere/download_sms` and several other endpoints. This bypasses the controls in place for this endpoint, which appears to have strict rate limits.
Actions:
Reported by
sicarius
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Business Logic Errors