Graham Smith is searching through his texts to find the conversation he had earlier this month with Snapchat co-founder Bobby Murphy.
â€œHi Bobby,â€� he had written.â€œWho is this?â€� was the reply.
â€œI basically explained that I was your average 16-year-old, but I had found a security flaw and that I was looking to help them,â€� Smith recalls responding. The Snapchat boss gave him his email.When he isnâ€™t doing homework or going to class in Dallas, Texas, the high school sophomore has been revealing holes and vulnerabilities in the ephemeral photo-sharing app that bills itself on privacy and secrecy. Instead of playing soccer this winter, Smith has been staying up late, wading through Snapchatâ€™s backend, and recently began chronicling its flaws and his communication with the company on his blog .
And his late nights are paying off. Smithâ€™s name has been spread far and wide this past week after he proved the company had failed to properly patch holes in its security after a massive leak of millions of usersâ€™ private information late last month.â€œMy goal is making Snapchat the product it says it is,â€� he says. But despite the flaws heâ€™s pointed out, Smith says the company isnâ€™t listening to the concerns of him or fellow â€œwhite hatâ€� hackers, who alert tech companies to vulnerabilities for the userâ€™s benefit.
Smith, whoâ€™s pictured on his blog as a sunglass-wearing, mop-topped teen, taught himself computer programming when he was 12 by reading other developersâ€™ codes. By 8th grade he was stretching his fingers by building apps for Windows phonesâ€”the â€œtip of the iceberg,â€� he calls it. It was this past June, a few months after making a Snapchat account, that Smith started reading the appâ€™s code. He found it â€œiffy,â€� he says, and he started searching for vulnerabilities.Now, heâ€™s finding holes in Snapchatâ€™s security for what he calls â€œa good learning experience.â€� Unfortunately, Smith says, the company hasnâ€™t been listening to its biggest student. He foresees more hacks in its future.
â€œItâ€™s hard for anybody to take criticism from a 16-years-old,â€� he says with self-awareness. â€œThatâ€™s basically what I was doing: telling you there was a flaw in your product. No one likes that.â€�Over the past few months, a number of revelations and leaks have punched holes in the companyâ€™s veneer of security and secrecy. On Dec. 31, 4.6 million phone numbers and usernames were leaked by hackers demonstrating a security hole that a white-hat group called Gibson Security had alertedSnapchat to back in August. â€œSnapchat could have easily avoided that disclosure by replying to Gibsonsecâ€™s private communications, yet they didnâ€™t,â€� the anonymous SnapchatDB.info said after the data dump. â€œEven long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data.â€�
It was this trove of numbers that allowed Smith to find Murphyâ€™s number: by taking the first 8 digits from the database and then plugging in 0-9 in the remaining two spots, he hit upon the co-founderâ€™s full number in less than a minute.The hacker code that pulled and published millions was retrieving numbers at a rate of 1,500 each minute. In response Snapchat limited how many times you could request from the â€œFind Friendsâ€� feature, which lets you add contacts from your phone, to one an hour. But Smith set up multiple accounts and found it was still possible to pull about 25 numbers per minute, and around 36,000 a day. It was this discovery that prompted him to email Snapchatâ€™s team four days after the leak about the unfixed problem. They responded later saying it was being worked on, but when nothing changed in the coming days, he proved the issue prevailed by pulling Murphyâ€™s number and contacting him directly.
â€œI donâ€™t want to be the bad guy,â€� Smith says. â€œI just want to make sure users are getting the end of the bargain, that their user information is safe.â€�Last week, Snapchat responded by requiring a phone number verification to use Find Friends and implementing a â€œSNAPTCHA,â€� their version of a CAPTCHA to catch bots. But within hours it was hacked and the break-in code was released. Smith also figured out a way to circumvent the added security, but for now, heâ€™s keeping that code under wraps so it doesnâ€™t get abused. â€œIâ€™m not trying to make them enemies,â€� Smith says. â€œI just kinda want to work with them.â€�
â€œWe continue to make significant progress in our efforts to secure Snapchat,â€� Mary Ritti, a spokeswoman for Snapchat, said of the response to Smithâ€™s findings. â€œFor security reasons, we cannot provide detailed information on security countermeasures.â€�Many large tech companies offer â€œbug bountiesâ€� for people who find flaws or weaknesses in their code. But not Snapchat. Itâ€™s something theyâ€™re apparently working on, Smith says Murphy recently told him. (Snapchat did not respond to a request to confirm this.)
â€œI doubt they will take any of the previous works by me or anyone else into consideration for bounties though,â€� Smith wrote in an email. â€œToo little, too late if you ask me.â€�Apart from the phone number siphoning flaw, Smith is concerned about photo encryption, for which encryption keys are already published online. This means if a â€œman in the middleâ€� attack occurred, in which a malicious hacker grabs information being sent between two users, and â€œsomeone intercepted a Snapchat being snapped, it would easily be decryptedâ€� he says, calling the encryption â€œweakâ€� and in need of a change.
For now, Smith will continue to test the strength of each patch Snapchat comes up with. And as the problems prevail, heâ€™ll be pointing out issues. He also hopes to join forces with a few other security researchers to completely rebuild Snapchat with an entirely secure system and then posting the code to show them what they should be doing.He hopes to go to Stanford and major in computer science, but for now he has to juggle homework with his online vigilante persona. â€œIt costs me time, which is worth something I guess if you consider it has an effect on my grades,â€� he writes in an email. Luckily, he doesnâ€™t have to try hard in AP Computer Science class, which he says his skills already surpass.
Meanwhile, in his high school hallways, the sophomore has become a bit of a celebrity. He has a slew of friend requests from people â€œwho had no idea who I wasâ€� before the Snapchat notoriety. In the hallways he hears, â€œCongrats, thatâ€™s awesome, I hear youâ€™re gonna be the next billionaire.â€�http://m.yahoo.com/w/ygo-frontpage/lp/story/3452793/coke.bp?.tsrc=tmobustoday&.intl=us&.lang=en-us