Not too many people can say they hacked into what’s valued as a $3 billion company before getting their driver’s license—but Graham Smith can. The teen who prompted Snapchat to introduce its Snaptcha system and then subsequently hacked it is an exception to his peers, many of whom are busy sending ugly-face selfies instead of meticulously trying to find holes in the app’s code.
The 16-year-old downloaded Snapchat when all his friends did, but he had different reasons. He’s been working to expose the app’s weak security system; luckily he isn’t doing it to snag NSFW or otherwise embarrassing photos. He’s doing it to help Snapchat improve its security.
“I had a Snapchat account, sure. I never really used it like your average Snapchatter,” Smith told the Daily Dot via email. “I wasn't sending nudes, selfies, etc. Ever since I created it I've been using it for testing purposes. All of my friends use Snapchat on a daily basis and were super enthusiastic when they heard about all of this.”
Gibson Security’s hack over the holidays last year originally sparked Smith’s interest, when the company found 10,000 phone numbers from Snapchat’s server in minutes. Smith had been working on the same hack, but didn’t come forward because he heard Snapchat wasn’t interested in cooperating with white hat hackers, something Smith later found out first-hand.
The high school sophomore from Dallas, Texas, began his communication with Snapchat after he tired of the app’s “quick-fixes” that didn’t seem to actually protect the system. Snapchat’s Find Friends function allowed a user to determine if a phone number is attached to an account through a simple request from. That's what allowed Gibson Security to uncover all those phone numbers recently. Given the enormity of the discovery, Smith was surprised at Snapchat’s apparent apathy.
“I knew from the beginning that I wasn’t going to get money or a job (although I certainly did ask for both after losing all patience with them, considering I had ‘wasted’ a fair amount of my time),” Smith said.
After failed inquiries to Snapchat, things escalated. Eventually Smith’s frustration led him to take a drastic measure: hacking Snapchat’s database to find the information of its cofounder, Bobby Murphy. With Murphy’s phone number in hand, Smith simply sent Murphy a text.
“With communications not going well, I was just enjoying pissing them off," he said. "I mean, here's me, [someone who just turned 16], making a bunch of Stanford students and grads look like they were no better than a high schooler (funny enough, right?). I can't admit that I didn't enjoy that, hence I continued trying to get around fixes.”
Eventually, his one-man rebellion against Snapchat had some positive payoffs. Smith’s relentless pursuit of breaching Snapchat’s system earned him an interview with the company for a software engineer position on Janu. 10. Unfortunately, nerves took a toll on him.
“I had never interviewed for a job before, let alone done a programming interview,” he wrote in his blog. "I cracked under pressure. Wasted both of our time."
And we all know what happened next: Snaptcha. In response to Smith’s hack-a-thon, Snapchat created a security wall that attempted to keep robots from creating accounts. But Smith knew the development wasn’t fool-proof.
“If anything, it decreases security because, even though it might slow down an attack a little, it provides the illusion of security,” Smith reasoned. "It's better to know about existing vulnerabilities than to be under the illusion that there are none. That's what Snapchat has been doing from day one, hiding the truth."
And he was right: Snaptcha was hacked on day one. Smith wasn’t the first to defeat the system (he was in class, so he had to get to it later), but he established a code shortly after the first one there, hacker Steven Hickson. Smith didn’t want to release his code until Snapchat had patched the error and given him approval to post, suggesting that his relationship with the company is more positive than previously.
“I would tell you that I'd give you a transcript of my messages back-and-forth with Bobby, but he'd rather not and I respect that” Graham said. "My timeline [blog] is being updated as more information comes up because this is an ongoing process and I'm trying to be as professional as possible.
“I'll have some more information about this that I might put on my blog, but I'm working it out with Bobby because I'm not the bad guy. Paraphrasing Tron (the original, of course): I fight for the users.”