Privacy Glitch in Snapchat Web Exposed Notification Leak After Logout

Discovering a Privacy Issue with Snapchat Web Notifications

While using Snapchat Web, I came across a surprising privacy problem related to notifications. This happened on November 23, 2022, when I noticed that even after logging out from Snapchat’s web session, notifications for snaps and video calls kept arriving.

Description of the Issue

I was logged into Snapchat Web on Chrome. Then, I changed my Snapchat password from the mobile app, which should have logged me out from all active sessions, including the browser session. Although the web session did log out properly, I kept receiving notifications on that browser for incoming snaps and video calls.

This suggested a problem in how Snapchat handled session tokens or notification services. Despite being logged out, the browser was still allowed to receive private notifications, which felt like a major privacy breach.

To confirm, I recorded a proof-of-concept video showing notifications arriving on the logged-out session in real time. This meant if someone else had access to that browser before logout, they could continue to see notifications about my activity even though the session was supposed to be terminated.

Steps to Reproduce

  1. Log into Snapchat Web on a browser like Chrome.

  2. Change your Snapchat password from the mobile app to force logout from all sessions.

  3. Observe that the web session logs out as expected.

  4. Notice that notifications for snaps and video calls continue arriving on the browser, even though you are logged out.

Security and Privacy Impact

This behavior creates a significant privacy risk:

  • Persistent Notifications After Logout: Notifications revealing personal activity continue to appear, exposing information to anyone with access to that browser.

  • Session Token Mismanagement: The web session should be fully invalidated, including any notification permissions, but it was not.

  • User Expectation Violation: When users log out, they expect all access and notifications to stop immediately. This flaw breaks that expectation.

  • Potential for Unauthorized Access: If a device is shared or lost, someone else could monitor your Snapchat activity through notifications despite logout.

Business Impact

Even if the issue did not directly allow unauthorized control or data access, it could:

  • Damage user trust due to perceived privacy gaps.

  • Lead to negative user experience and complaints.

  • Raise concerns about Snapchat’s handling of session security compared to competitors.

Response and Resolution

I reported the issue to Snapchat’s security team through their bug bounty program. Initially, the report was marked as “Informative” since they judged it required physical access to the device and did not pose a direct security threat.

However, I argued that users expect notifications to stop immediately upon logout, and that other platforms enforce this properly.

Eventually, Snapchat fixed the problem. Now, when you log out of Snapchat Web, all notifications are fully disabled, which aligns with modern privacy and security standards.

Conclusion

This experience showed me how session management and notification controls must work together to protect user privacy. Logging out should mean exactly that—no more messages, no more notifications, no lingering access.

I’m glad Snapchat addressed this issue, improving user trust and privacy on their platform.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more