Timeline for How to prevent third party misuse of what is intended to be a private api (avoiding what happened to Snapchat)?
Current License: CC BY-SA 3.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 24, 2014 at 17:48 | answer | added | amwmedia | timeline score: 0 | |
| Oct 17, 2014 at 7:18 | history | tweeted | twitter.com/#!/StackProgrammer/status/523010246692720641 | ||
| Oct 16, 2014 at 23:43 | comment | added | ajeetdl | @FrustratedWithFormsDesigner, I was not familiar with the 'social engineering' term/phrase, interesting. I've been reading the wikipedia article on it, it seems phishing falls within this category and in a sense what is going on here is similar to phishing except it's unclear whether these users were aware or unaware it was not an official snapchat app. | |
| Oct 16, 2014 at 23:37 | comment | added | ajeetdl | @delnan, I am using json web tokens (jwt), the problem is if the 3rd party app calls the login api (with a username and password) it will receive the api key and from then on api calls will be considered authenticated. | |
| Oct 16, 2014 at 20:30 | answer | added | ChargerIIC | timeline score: 6 | |
| Oct 16, 2014 at 17:46 | comment | added | Ampt | @FrustratedWithFormsDesigner I know right? All that technical know-how brought down by users just giving out their passwords to strangers on the web. For shame snapchat! | |
| Oct 16, 2014 at 17:45 | comment | added | FrustratedWithFormsDesigner | @Ampt Gosh, it's too bad Snapchat never thought of that! | |
| Oct 16, 2014 at 17:19 | comment | added | Ampt | Sure, tell your users to not log into a third party site using their username and password. That should take care of your API abuse problems. | |
| Oct 16, 2014 at 17:16 | comment | added | user7043 | When you wrote that the private API calls need to require authentication, I agreed. But it seems we were thinking of different things. A private API call, i.e. an action that 3rd party apps should not be able to use, should demand authentication of the app, via an API key or something similar, regardless of whether the action being performed also requires user authentication. | |
| Oct 16, 2014 at 17:10 | comment | added | FrustratedWithFormsDesigner | I haven't been following this as closely as you, but it sounds like the 3rd-party use of the snapchat API succeeded because of successful social engineering. No matter how good your code is, it's hard to code against social engineering. | |
| Oct 16, 2014 at 17:06 | review | First posts | |||
| Oct 16, 2014 at 17:42 | |||||
| Oct 16, 2014 at 17:04 | history | asked | ajeetdl | CC BY-SA 3.0 |