Billions of Users are Vulnerable to Attack
Technical University of Darmstadt researchers and the University of Würzburg found popular mobile messengers to expose personal data. This happens through the platforms’ discovery services that allow people to locate contacts based on their phone numbers.
When someone installs a messenger like WhatsApp, new users can start texting anyone in their existing contact instantly based on their devices stored phone numbers. In order for this to occur, users have to grant the app permission to access and upload their address book to messaging company’s server. This process is known as ‘mobile contact discovery’. A study was recent performed by the Cryptography and Privacy Engineering Group at TU Darmstadt and researchers from the Secure Software Systems Group at the University of Würzburg that shows that contact discovery services seriously threaten billions of users privacy. The researchers were easily able to perform crawling attacks on popular messengers like Signal, WhatsApp, and Telegram. The results of the experiment showed that hackers can collect sensitive data en masse using contact discovery services for random phone numbers.
The study was quite extensive, and the researchers were able to query 100% of the phone numbers for Signal and 10% of all the US phone numbers for WhatsApp. In doing so, they were able to collect personal metadata that is commonly stored in a messaging service’s user profile. This includes but is not liited to nicknames, profile pictures, status texts, and the ‘last online’ active status. The data also shows some interesting statistics about the behavior of users.
Very few users change the default privacy settings, and in the case of most messengers, that will leave a user exposed. As it turns out, the study saw that over 50% of US users on WhatsApp have a public profile picture. Also, 90% of users have a public ‘About’ text. Somewhat interestingly, 40% of Signal users are also using WhatsApp, and those Signal users have a public profile picture on WhatsApp. If a hacker were to track that data over time, it would enable them to build a working model of a victim’s behavioral pattern. The data can be cross-referenced with social networks and public data to find a way to gain access to more sensitive and more useful information. In the case of Telegram, the research team found that its contact discovery service exposes even more sensitive information like users’ phone numbers.