The Snapchat API breach – Ensure your API isn't next

January 15, 2014 | By Mark O'Neill, VP Innovation, Axway

Businesses connect to mobile apps, cloud services, and developers using Web APIs (Application Programming Interfaces), but unfortunately, these APIs are often deployed without regard for security. The recent attack on the Snapchat API followed hot on the heels of the attack on the Buffer API. In each case, we saw that failure to secure Web APIs has serious business consequences. In the Snapchat case, 4.6 million usernames and phone numbers were exposed. It could be argued that Snapchat is “just” a consumer service. But this kind of exposure could have easily involved credit card details, health records, or social security numbers.

The good news is that a solution exists to protect APIs. To help address the rising security and privacy concerns, an API gateway can minimize vulnerabilities, and the promise of APIs can be realized.

Let’s see how an API gateway protects against security vulnerabilities.

Throttling of API traffic

API calls can be throttled based on user, incoming IP address, or other factors. In the screenshot below, we see how a throttling (i.e., rate-limiting, quota-management) filter is simply dragged and dropped into a policy for an API.

[[{"type":"media","view_mode":"media_large","fid":"718","attributes":{"class":"media-image aligncenter size-medium wp-image-3596","typeof":"foaf:Image","style":"","width":"300","height":"158","alt":"1-throttle"}}]]

Deny by Default

If an API is not intended to be used by clients, it should not be possible for a curious developer to "uncover" it. Remember: security through obscurity is no security at all. In the API gateway security model, API calls are protected by a "Deny by Default" security posture. Below, you can see the list of protected APIs. Others are denied by default.

[[{"type":"media","view_mode":"media_large","fid":"719","attributes":{"class":"media-image aligncenter size-medium wp-image-3595","typeof":"foaf:Image","style":"","width":"300","height":"159","alt":"2-DbD"}}]]

Real-time visibility of API usage

When API usage is shown in real-time, it is immediately clear if someone is attempting to put the API to nefarious use. In the case of Snapchat, data mining of user information was possible without the social network’s knowledge that it was occurring. Real-time monitoring of API usage would have addressed this. This is what that looks like:

[[{"type":"media","view_mode":"media_large","fid":"720","attributes":{"class":"media-image aligncenter size-medium wp-image-3597","typeof":"foaf:Image","style":"","width":"300","height":"178","alt":"Screenshot-1-API-Monitoring"}}]]

Alerting of usage anomalies

If any unusual anomalous usage of APIs is detected, an alert must be issued. It is not enough to alert the API management system itself; the network monitoring infrastructure must also be alerted, and the alert must be readable by log management products such as Splunk.

In the screenshot below, you can see how an alert, including dynamically set information about the client in question, is issued.

[[{"type":"media","view_mode":"media_large","fid":"721","attributes":{"class":"media-image aligncenter size-medium wp-image-3594","typeof":"foaf:Image","style":"","width":"300","height":"160","alt":"anomalous"}}]]

If you suspect your APIs have been deployed without a proper regard for security, take heart: If you heed these tips immediately, you can ensure that your API will never suffer an attack like the one that befell Snapchat.


TOPICS: API Management

Mark O'Neill

VP Innovation, Axway