Graham Smith is searching through his texts to find the conversation he had earlier this month with Snapchat co-founder Bobby Murphy.
He finds it.
“Hi Bobby,” he had written.
“Who is this?” was the reply.
“I basically explained that I was your average 16-year-old, but I had found a security flaw and that I was looking to help them,” Smith recalls responding. The Snapchat boss gave him his email.
When he isn’t doing homework or going to class in Dallas, Texas, the high school sophomore has been revealing holes and vulnerabilities in the ephemeral photo-sharing app that bills itself on privacy and secrecy. Instead of playing soccer this winter, Smith has been staying up late, wading through Snapchat’s backend, and recently began chronicling its flaws and his communication with the company on his blog.
And his late nights are paying off. Smith’s name has been spread far and wide this past week after he proved the company had failed to properly patch holes in its security after a massive leak of millions of users’ private information late last month.
“My goal is making Snapchat the product it says it is,” he says. But despite the flaws he’s pointed out, Smith says the company isn’t listening to the concerns of him or fellow “white hat” hackers, who alert tech companies to vulnerabilities for the user’s benefit.
Smith, who’s pictured on his blog as a sunglass-wearing, mop-topped teen, taught himself computer programming when he was 12 by reading other developers’ codes. By 8th grade he was stretching his fingers by building apps for Windows phones—the “tip of the iceberg,” he calls it. It was this past June, a few months after making a Snapchat account, that Smith started reading the app’s code. He found it “iffy,” he says, and he started searching for vulnerabilities.
Now, he’s finding holes in Snapchat’s security for what he calls “a good learning experience.” Unfortunately, Smith says, the company hasn’t been listening to its biggest student. He foresees more hacks in its future.
“It’s hard for anybody to take criticism from a 16-year-old,” he says with self-awareness. “That’s basically what I was doing: telling you there was a flaw in your product. No one likes that.”
Over the past few months, a number of revelations and leaks have punched holes in the company’s veneer of security and secrecy. On Dec. 31, 4.6 million phone numbers and usernames were leaked by hackers demonstrating a security hole that a white-hat group called Gibson Security had alerted Snapchat to back in August. “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t,” the anonymous SnapchatDB.info said after the data dump. “Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data.”
It was this trove of numbers that allowed Smith to find Murphy’s number: by taking the first 8 digits from the database and then plugging in 0-9 in the remaining two spots, he hit upon the co-founder’s full number in less than a minute.
The hacker code that pulled and published millions was retrieving numbers at a rate of 1,500 each minute. In response Snapchat limited how many times you could request from the “Find Friends” feature, which lets you add contacts from your phone, to one an hour. But Smith set up multiple accounts and found it was still possible to pull about 25 numbers per minute, and around 36,000 a day. It was this discovery that prompted him to email Snapchat’s team four days after the leak about the unfixed problem. They responded later saying it was being worked on, but when nothing changed in the coming days, he proved the issue prevailed by pulling Murphy’s number and contacting him directly.
“I don’t want to be the bad guy,” Smith says. “I just want to make sure users are getting the end of the bargain, that their user information is safe.”
Last week, Snapchat responded by requiring a phone number verification to use Find Friends and implementing a “SNAPTCHA,” their version of a CAPTCHA to catch bots. But within hours it was hacked and the break-in code was released. Smith also figured out a way to circumvent the added security, but for now, he’s keeping that code under wraps so it doesn’t get abused. “I’m not trying to make them enemies,” Smith says. “I just kinda want to work with them.”
He has no interest in working for the company, though, but he did do an interview over Google Hangouts for a programmer position that he says didn’t go well. “I thought it’d be neat to work for such an awesome company at that point,” he says. But now he’s disparaged by what he sees as a dismissal of suggestions that would benefit users.
“They’re not willing to go as far as they need to go to fix security,” he says, noting that if the app wants to implement the ironclad protection for its users he and others in the computer security world recommend, it will have to drop old versions of the app, therefore losing a slew of legacy users. The company’s refusal to do so is a misguided priority, he says.
“We continue to make significant progress in our efforts to secure Snapchat,” Mary Ritti, a spokeswoman for Snapchat, said of the response to Smith’s findings. “For security reasons, we cannot provide detailed information on security countermeasures.”
Many large tech companies offer “bug bounties” for people who find flaws or weaknesses in their code. But not Snapchat. It’s something they’re apparently working on, Smith says Murphy recently told him. (Snapchat did not respond to a request to confirm this.)
“I doubt they will take any of the previous works by me or anyone else into consideration for bounties though,” Smith wrote in an email. “Too little, too late if you ask me.”
Apart from the phone number siphoning flaw, Smith is concerned about photo encryption, for which encryption keys are already published online. This means if a “man in the middle” attack occurred, in which a malicious hacker grabs information being sent between two users, and “someone intercepted a Snapchat being snapped, it would easily be decrypted” he says, calling the encryption “weak” and in need of a change.
For now, Smith will continue to test the strength of each patch Snapchat comes up with. And as the problems prevail, he’ll be pointing out issues. He also hopes to join forces with a few other security researchers to completely rebuild Snapchat with an entirely secure system and then posting the code to show them what they should be doing.
He hopes to go to Stanford and major in computer science, but for now he has to juggle homework with his online vigilante persona. “It costs me time, which is worth something I guess if you consider it has an effect on my grades,” he writes in an email. Luckily, he doesn’t have to try hard in AP Computer Science class, which he says his skills already surpass.
Meanwhile, in his high school hallways, the sophomore has become a bit of a celebrity. He has a slew of friend requests from people “who had no idea who I was” before the Snapchat notoriety. In the hallways he hears, “Congrats, that’s awesome, I hear you’re gonna be the next billionaire.”