BreadcrumbHomeResourcesBlog Snapchat API Hack: What Happened? January 10, 2014 Snapchat API Hack: What Happened?SecurityThe Snapchat API hack made headlines in 2014. And there's a lot to learn from this API attack. Your data is out there. While APIs are making access to data easier, they also make it extremely easy for people to come after your data. If enterprises do not take the appropriate steps for API security —and lay down well-defined processes surrounding API development — their data is at risk.Table of ContentsHow Did the Snapchat API Hack Happen?Lessons Learned From the Snapchat API HackAvoid Hacks With AkanaTable of Contents1 - How Did the Snapchat API Hack Happen?2 - Lessons Learned From the Snapchat API Hack3 - Avoid Hacks With AkanaBack to topHow Did the Snapchat API Hack Happen?The Snapchat API hack happened because of lax security measures.What Did the Hackers Take?The hackers got phone numbers. But the incident reveals the risks when API providers are lax about addressing core security and governance issues. Unfortunately, this happens all too often in the race of being the first to provide innovative functionality and, yes, often attractive eye-popping valuations.The frightening disregard for security can come back to haunt these companies — just like Snapchat found out.Did Snapchat Know They Were Vulnerable?In August, the computer security research firm Gibson Security warned Snapchat about API vulnerabilities that exposed them to the threat of a hack. Snapchat apparently did not heed this warning. As a result, hackers compromised Snapchat API security. They used the API to look up 4.6 million phone numbers and usernames.What Led to the Snapchat API Hack?Snapchat did implement some basic security. But it was not at a level that serious security professionals would recommend for such a high profile service. Their measures included some basic SSL and token hashing. They used a hardcoded shared secret key, which was a simple string constant in the app.Moreover, they did not have mechanisms in their infrastructure to prevent and detect anomalous behavior. For example, they couldn't detect bulk queries for phone numbers and usernames originating from a single client or over a very short period of time.From the looks of it, they did not institute a governance process to ensure mobile app development best practices were:Enforced.Uniformly tested.Deployed through the entire software development life cycle (SDLC) process in a consistent manner. Back to topLessons Learned From the Snapchat API HackHere are some of the most important lessons learned from the Snapchat API hack.1. Apply Security MeasuresIn order to mitigate API security risks, you need to implement enterprise-grade API management. And you need a strong API Gateway.API platforms provide API security, protecting sensitive data while allowing access to authorized apps and users. They provide capabilities like:Message encryption.OAuth.Built-in PKI and key distribution.First and last mile security.Enterprise need to secure and encrypt their APIs. But they also need to take measures to prevent and isolate messages that contain malware or scripts that could potentially compromise an enterprise backend infrastructure.2. Leverage Threat ProtectionYou'll also need threat protection.Your API management solution should detect and prevent denial of service (DoS) attacks, malformed messages, or excessive XML/JSON depth and breadth.Akana, for example, has been providing API security for years to some of the largest institutions in the world. We take pride in facilitating billions of secure transactions every year.3. Apply Rate LimitingSimple steps like API rate limiting and API monitoring can prevent callers from bombarding the API. API licensing mechanisms can be put in place to throttle the number of approved calls from a specific developer or app.In case of Snapchat, the compromising app did a bulk query on obtained access to 4.6 million phone numbers and user names. There were no rate limits placed on the Snapchat API. Also rate limiting should be imposed on all kind of APIs, public, private and test APIs, as you can never be certain as to where a hacker might find a hole.Implementing advanced API licensing and rate limiting can provide granular level of controls wrt to knobs such as developer, app type, device type, geo-location, and other contexts. API monitoring can be used to actively monitor APIs and provide alerts to API administrators.4. Manage the Full LifecycleNo amount of security measures will be effective if they are not properly enforced, deployed, and governed across the entire API lifecycle. This last step is the one that is most often overlooked by start-ups (and enterprises) in the name of speed or agility.Making this happen involves selecting the right API management solution. That solution needs to work across and connect each stage of the complete lifecycle. If it can’t, the organization risks working on compliance in an incoherent way that invites lapses in control.Stakeholders connected to the API have to be able to communicate with one another through the platform, including people and entities that are external to the organization that is publishing the API.Back to topAvoid Hacks With AkanaThe Akana API platform is the best choice to avoid hacks like Snapchat's in the enterprise.That's because Akana:Accelerates time-to-market with fast API deployment.Automates security, including security policies.Partners with you on your digital transformation strategy.See the capabilities of the Akana API management platform with a free 6-month trial.Start my Trial ▶️ WATCH THE DEMO FIRST 👉 Become an ExpertExplore additional resources:API BasicsAPI Security Best PracticesBack to top
