Image Blog Snapchats API Hack
January 10, 2014

Snapchat API Hack: What Happened?

Security

The Snapchat API hack made headlines in 2014. And there's a lot to learn from this API attack

Your data is out there. While APIs are making access to data easier, they also make it extremely easy for people to come after your data. If enterprises do not take the appropriate steps for API security  —and lay down well-defined processes surrounding API development — their data is at risk.

Back to top

How Did the Snapchat API Hack Happen?

The Snapchat API hack happened because of lax security measures.

What Did the Hackers Take?

The hackers got phone numbers. But the incident reveals the risks when API providers are lax about addressing core security and governance issues. Unfortunately, this happens all too often in the race of being the first to provide innovative functionality and, yes, often attractive eye-popping valuations.

The frightening disregard for security can come back to haunt these companies — just like Snapchat found out.

Did Snapchat Know They Were Vulnerable?

In August, the computer security research firm Gibson Security warned Snapchat about API vulnerabilities that exposed them to the threat of a hack. Snapchat apparently did not heed this warning. As a result, hackers compromised Snapchat API security. They used the API to look up 4.6 million phone numbers and usernames.

What Led to the Snapchat API Hack?

Snapchat did implement some basic security. But it was not at a level that serious security professionals would recommend for such a high profile service. Their measures included some basic SSL and token hashing. They used a hardcoded shared secret key, which was a simple string constant in the app.

Moreover, they did not have mechanisms in their infrastructure to prevent and detect anomalous behavior. For example, they couldn't detect bulk queries for phone numbers and usernames originating from a single client or over a very short period of time.

From the looks of it, they did not institute a governance process to ensure mobile app development best practices were:

  • Enforced.
  • Uniformly tested.
  • Deployed through the entire software development life cycle (SDLC) process in a consistent manner.

 

Snapchat Security Alert
Back to top

Lessons Learned From the Snapchat API Hack

Here are some of the most important lessons learned from the Snapchat API hack.

1. Apply Security Measures

In order to mitigate API security risks, you need to implement enterprise-grade API management. And you need a strong API Gateway.

API platforms provide API security, protecting sensitive data while allowing access to authorized apps and users. They provide capabilities like:

  • Message encryption.
  • OAuth.
  • Built-in PKI and key distribution.
  • First and last mile security.

Enterprise need to secure and encrypt their APIs. But they also need to take measures to prevent and isolate messages that contain malware or scripts that could potentially compromise an enterprise backend infrastructure.

2. Leverage Threat Protection

You'll also need threat protection.

Your API management solution should detect and prevent denial of service (DoS) attacks, malformed messages, or excessive XML/JSON depth and breadth.

Akana, for example, has been providing API security for years to some of the largest institutions in the world. We take pride in facilitating billions of secure transactions every year.

3. Apply Rate Limiting

Simple steps like API rate limiting and API monitoring can prevent callers from bombarding the API. API licensing mechanisms can be put in place to throttle the number of approved calls from a specific developer or app.

In case of Snapchat, the compromising app did a bulk query on obtained access to 4.6 million phone numbers and user names. There were no rate limits placed on the Snapchat API. Also rate limiting should be imposed on all kind of APIs, public, private and test APIs, as you can never be certain as to where a hacker might find a hole.

Implementing advanced API licensing and rate limiting can provide granular level of controls wrt to knobs such as developer, app type, device type, geo-location, and other contexts. API monitoring can be used to actively monitor APIs and provide alerts to API administrators.

4. Manage the Full Lifecycle

No amount of security measures will be effective if they are not properly enforced, deployed, and governed across the entire API lifecycle. This last step is the one that is most often overlooked by start-ups (and enterprises) in the name of speed or agility.

Making this happen involves selecting the right API management solution. That solution needs to work across and connect each stage of the complete lifecycle. If it can’t, the organization risks working on compliance in an incoherent way that invites lapses in control.

Stakeholders connected to the API have to be able to communicate with one another through the platform, including people and entities that are external to the organization that is publishing the API.

Back to top

Avoid Hacks With Akana

The Akana API platform is the best choice to avoid hacks like Snapchat's in the enterprise.

That's because Akana:

  • Accelerates time-to-market with fast API deployment.
  • Automates security, including security policies.
  • Partners with you on your digital transformation strategy.

See the capabilities of the Akana API management platform with a free 6-month trial.

Start my Trial ▶️ WATCH THE DEMO FIRST

 

👉 Become an Expert

Explore additional resources:

Back to top