What The Snappening Taught Us About API Security

Snapchat's recent hack of over 200,000 explicit photos reiterates the importance of comprehensive app & API security measures. Though Snapchat is blaming illegal unofficial 3rd party apps for the hack, the fact is that Snapchat's API was too frail from the start.

In May of this year, an FTC action lawsuit against Snapchat unanimously found Snapchat guilty of deceptive promises that the photo streaming app's content was being "deleted." In fact, the app performs a standard delete rather than an overwrite, making all photos and videos completely retrievable. To expose Snapchat's security vulnerabilities, Gibson Security recently reverse-engineered the entire SnapChat API. They found that it's shoddily crafted code was easy to override, and that with only a little skill one could easily download images from a user, retrieve telephone numbers, and even replace images.

Even though Snapchat spells out that they prevent 3rd party developers from interaction with the API on their privacy statement, a mere warning isn't enough to protect user privacy. The lesson to be learned is that "a robust app [should] provide safeguards that assumes users will break the rules." When it comes down to users, the bottom line is that no one should have complete faith in privacy when uploading content to the internet. 


Original Article

Security Lessons Courtesy of Snapchat

Bill Doerrfeld I am a consultant that specializes in API economy research & content creation for developer-centric programs. I study Application Programming Interfaces (APIs) and related tech and develop content [eBooks, blogs, whitepapers, graphic design] paired with high-impact publishing strategies. I live and work in Seattle, and spend most of my time as Editor in Chief for Nordic APIs, a blog and knowledge center for API providers. For a time I was a Directory Manager & Associate Editor at ProgrammableWeb, and still add new APIs to the directory every now and then. Let's connect on Twitter at @DoerrfeldBill, or follow me on LinkedIn.