What The Snappening Taught Us About API Security

Snapchat's recent hack of over 200,000 explicit photos reiterates the importance of comprehensive app & API security measures. Though Snapchat is blaming illegal unofficial 3rd party apps for the hack, the fact is that Snapchat's API was too frail from the start.

In May of this year, an FTC action lawsuit against Snapchat unanimously found Snapchat guilty of deceptive promises that the photo streaming app's content was being "deleted." In fact, the app performs a standard delete rather than an overwrite, making all photos and videos completely retrievable. To expose Snapchat's security vulnerabilities, Gibson Security recently reverse-engineered the entire SnapChat API. They found that it's shoddily crafted code was easy to override, and that with only a little skill one could easily download images from a user, retrieve telephone numbers, and even replace images.

Even though Snapchat spells out that they prevent 3rd party developers from interaction with the API on their privacy statement, a mere warning isn't enough to protect user privacy. The lesson to be learned is that "a robust app [should] provide safeguards that assumes users will break the rules." When it comes down to users, the bottom line is that no one should have complete faith in privacy when uploading content to the internet. 

 

Be sure to read the next Security article: How The UK's Government is Leading API Security

Original Article

Security Lessons Courtesy of Snapchat

 

Comments