Privacy Glitch in Snapchat Web Exposed Notification Leak After Logout

On November 23, 2022, I discovered a privacy issue in Snapchat Web that allowed notifications to continue arriving—even after the user had logged out of their session.

While testing, I logged into Snapchat Web via Chrome and then changed my password from the Snapchat mobile app. This action should have invalidated all active sessions, including the one on the web. While the session did log out as expected, I noticed that the browser continued to receive notifications for snaps and video calls—despite no longer being logged in. This indicated a flaw in how Snapchat handled session tokens or notification services.

To confirm the issue, I recorded a proof-of-concept video showing real-time notifications still arriving after logout. This posed a significant privacy risk: if someone else had access to that web session before logout, they could continue to see private activity even after being "kicked out."

When I reported the issue to Snapchat, the triage team acknowledged the behavior but labeled the report as "Informative," stating:

“We have reviewed the described behavior. However, it does not appear to pose any security impact that could adversely affect Snapchat’s users or infrastructure.” Meaning it needs physical access to the device.

In response, I raised a key concern: why should notifications still appear after logging out? To me, logging out means the session should be fully terminated—no further data, no messages, and certainly no notifications. Other social platforms don’t behave this way, and users should expect the same level of privacy and control on Snapchat.

While the issue wasn’t initially treated as a security risk, Snapchat eventually resolved it. Notifications are now fully disabled upon logout on Snapchat Web—bringing its behavior in line with modern privacy expectations.

Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more