Graham Smith is a security researcher who's spent the last few weeks probing Snapchat after a major hack over the holidays exposed millions of usernames and phone numbers. Since the breach, Smith has found more security weaknesses in the app and used one of them to pester Snapchat CTO Bobby Murphy into taking action.
Graham Smith is also a high-school sophomore. And when he's not in class, the young Texan has been pushing Snapchat to update its service as he unearths new vulnerabilities affecting the company's users.
The controversy surrounding Snapchat — an app that lets users take pictures and video that self-destruct after a few seconds — mainly concerns its Find Friends feature, which helps you locate and connect with other Snapchatters in your address book.
During the Christmas breach, an Australian group known as Gibson Security used a hole in Snapchat's software to match user phone numbers to account names with Find Friends. In response, Snapchat limited the rate at which accounts could make requests of the Find Friends feature to one per hour.
But the next day, Smith said in a blog post that the restriction would hardly slow a determined attacker. All he had to do was set up multiple Snapchat accounts and set them to access Find Friends in concert to defeat the new security feature. With his collection of dummy accounts, Smith said he was still able to make 25 requests per minute — down from 1,500 per minute before Snapchat's update, but nowhere near the cap of one per hour the company had intended to implement. Smith said the vulnerability was still there several days after he alerted Snapchat to the problem.
So Smith said he tried to look up the phone number of Snapchat's co-founder. He searched Gibson Security's database of compromised accounts to see whether CTO Bobby Murphy was among them. He was, but Gibson Security had blacked out the final two digits of Murphy's phone number. No matter; Smith's army of Snapchat accounts produced the digits associated with Murphy's account in short order.
Smith called Murphy, then sent a text. Murphy wrote back, "Who is this?" And Smith told him his story. Murphy said he'd look into it.
Mary Ritti, a company spokesperson, declined to comment Wednesday on Smith's analysis of Snapchat's security or the teenager's interactions with the company, including the text exchange with Murphy. "We appreciate the efforts of those who help identify vulnerabilities in our service and we continue to make significant progress in our efforts to secure Snapchat," Ritti said. "Snapchatters can opt-out of linking their username and phone number in settings."
Snapchat has since implemented several changes. For instance, it now requires that people who use Find Friends verify their phone numbers before letting them access the feature. After Smith pointed out that the new version of the app didn't call back to the company's server to make sure the phone numbers were verified, Snapchat implemented server-side checks as an added layer of security.
The company has also added a graphical CAPTCHA feature that demands you identify Snapchat's ghost logo on various backgrounds before granting access to the app. The idea is to prevent bots like Smith's from acting autonomously in the app. When I spoke to Smith on Tuesday, he said he hadn't tested the new feature. But Steven Hickson, another security researcher, said Wednesday that it took less than 100 lines of code to break Snapchat's latest security fix.
Meanwhile, Smith said that while some Snapchat content is encrypted using a strong standard known as cipher block chaining, not all of it is. In some cases, the company uses another standard, Electronic CodeBook, to secure some content. While that's better than no encryption at all, according to Smith, the use of weaker encryption poses a potential vulnerability. (Here's a lengthy explainer on the differences between CBC and ECB encryption.)
"Snapchat has written in its back end so many poor fixes that their code is messy and inconsistent sometimes," said Smith in an interview, explaining why the company may be having trouble making comprehensive patches.
Looks like it might continue to be up to sharp-eyed people like Smith to point them out.