In today’s episode of “Blogs That Should Have Been a Tweet”, I want to give you a tip about Snapchat. More specifically, a tip about Bitmoji users on Snapchat. First though, let’s back up a few steps… Bitmoji is an app that allows users to create a cartoon representation of themselves by picking everything from features to accessories to clothing. You can use this “cartoon you” in many places online and in apps, but it’s most commonly associated with use in Snapchat (the company who bought Bitmoji back in 2016). An estimated 3/4 of all Snapchat users use Bitmoji!
It’s hard to overstate the value of posted photos in OSINT work. When people post photos of themselves, they’re giving you a glimpse at a moment in time, and seeing them with your own eyes can sometimes be the key to answering other investigative questions about your subject. (We are of course excluding that photo of me at the age of 12 standing outside Busch Gardens, sporting a Terminator wanna-be flat top haircut, tight-rolled acid washed jeans, a fanny pack, and glasses with the strap on the back while a parrot perches casually on my hand. No questions went unanswered in that masterpiece)
What about Bitmoji though? Can there be investigative value in viewing a person’s self-generated and self-depicting cartoon? Of course there can! Depending on the context in which you receive the image, it may help you to narrow a search pool of similarly-named individuals, refine your research based on certain visual factors, or even help you make comparisons to known social media accounts that are using or have posted the Bitmoji. Many users will make an effort to ensure their cartoon self is at least recognizably close to the look of their real self.
Now, before we go any farther, I know there’s at least one of you sitting at home shaking your head because there are soooo many variables here. After all, we are talking about someone making their own digital persona in any way, shape or form, using a robust but still finite set of features. Even users who are trying to stay true to form might just give themselves a little esthetic help where they’d like it. I mean, you should see the waistline on my Bitmoji, I haven’t been that thin since… well, the infamous Busch Gardens photo. Anyway, I get it. Like everything we do in OSINT though, in the proper context, it can be a clue.
Let’s say you have found your subject online in one social media site, and you’ve moved on to finding their accounts on other platforms. You’ve decided to start at Snapchat since you see they’ve posted a Bitmoji of themselves, and you know that chances are good that they may also have a Snap. You’ve got a real name and a username from the profile you’ve found, so you’re running username queries using the web version of Snapchat, but you’re just not sure if you’ve found the right person. The name is right, but the cartoon character smiling back at you… is not a match for the one posted by your known account. If you’re like me, you don’t take anything at face value! You probably wonder how long it’s looked this way, and what it may have looked like before.
Snapchat users with a Bitmoji avatar can make changes to the appearance of their cartoon persona any time they want, as much as they want, directly from Snapchat. When someone searched for them moments ago, they looked one way, but now… they may look completely different. Like this guy who used to be cool but eventually turned his life around:
If only you could access a prior Bitmoji to compare with the one you’ve found in your earlier research, you could be that much more confident about the potential of your findings… well it turns out that sometimes you can, with a simple URL manipulation.
When you visit someone’s Snapchat profile page via the web URL, by adding their username to the end of: “https://snapchat.com/add/” you land on a page that can look a few different ways depending on the user. Some will simply be a Snap code or a recent Story, while others may contain no avatar at all or perhaps just the face, and those aren’t going to be our focus here. The one we want is one of the more common landing page possibilities, a full-body avatar image of their beloved Bitmoji that looks something like this:
Now you’re in business! When you find yourself on a profile that looks like this, and you want to view the looks of some of their prior Bitmoji, here’s what you do:
1. Right click on the Bitmoji image and select “Open image in new tab” – you’ll get a page that looks like this, which is serving you just their current avatar:
2. Review the last few characters of the URL preceding the .webp extension, they’ll look something like this:
3. When reviewing the URL of the image, you’re looking for that number immediately following the underscore (in the above case it’s 51). That number represents the version of Bitmoji you’re currently viewing. I wonder if the prior versions are stored there as well?
If you simply start changing those digits to lower numbers, refreshing the page and working your way back, you’ll see that they are! In this case, if you work back through the prior versions of their avatar you’ll see numerous changes, and when you get to version 35 you see this:
Interesting…
So does this previously stylish cartoon persona simply enjoy the comfort and freedom offered by wearing scrubs? Perhaps!
Or do they love hospital-themed, early 2000’s sitcoms featuring a prime Zach Braff? Trick question! Everyone loved that show.
More importantly, could they work in some type of medical position, and could that information align with other findings? It’s entirely possible.
There is a limit to this backward research, and at some point you’ll roll back to a number and suddenly the avatar will reverts to the current one. In the case of the above person, that happened after image 33. Anything 32 and prior will just show me the same current Bitmoji I started with at 51, but if my math is correct (and it rarely is) that means I was able to see 18 versions of this person’s digital self!
URL manipulation in OSINT research is nothing new, many of you will already know how to do things like view a higher resolution or larger sized profile image in certain social media sites by changing a few characters in the image URL. If not, I hope this idea sparked a bit of creativity for you and is something you’ll add to your thought process going forward, because it has a wide variety of use.
Ok, so there are a couple of takeaways here, allow me to summarize them:
- When Snapchat serves you up a profile page with a full Bitmoji avatar on it, there may be value in rolling back to previous versions for more information.
- Paying attention to where on-site content is delivered from on any site can be potentially valuable in your research.
- Manipulating the URL of media content can sometimes provide unexpected results.
- If you can’t laugh at yourself, then you’re doing life all wrong…
UPDATE: Introducing The Backmoji Tool!
Following the release of this blog, THE Micah Hoffman aka @webbreacher on an internet near you, whipped up a quick UI tool that allows a user to follow the process outlined above, input a couple of variables from the Bitmoji URL they’ve discovered, and view an output of all available versions of the user’s Bitmoji all on a single page! Fantastic work my friend, as always!
To read his explanation of the tool, visit: https://webbreacher.com/2022/10/24/grabbing-old-bitmoji-outfits-with-backmoji/
To jump straight over to Backmoji, visit: https://webbreacher.github.io/osinttools/