Using contact search services, attackers can collect large amounts of sensitive data
Popular mobile messengers reveal personal data of users through services that allow finding contacts by phone numbers stored in the address book, a joint team of researchers from the University of Würzburg and the Technical University of Darmstadt said.
When installing a mobile messenger, for example, WhatsApp, new users can immediately send messages to existing contacts contained in the phone. To do this, you will need to allow the application to access the contact list and constantly download the address book data to the company's servers.
Using a small amount of resources, the researchers parsed the popular messengers WhatsApp, Signal and Telegram and came to disappointing conclusions.
As it turned out, using services to search for contacts by random numbers, attackers can collect large amounts of important data. As part of the study, specialists through contact search services checked 10% of the numbers of WhatsApp users in the United States and 100% of the numbers of Signal users. Thus, they were able to collect personal metadata, usually contained in the profiles of users of instant messengers, including profile pictures, nicknames, status data and the time of the last time they were online.
Data analysis revealed interesting aspects of user behavior, for example, only a few changed the default privacy settings, which in most messengers pose a risk to users.
It also found that approximately 50% of WhatsApp users have a public profile picture, and 90% of users do not hide information in the About section. At the same time, 40% of users of the privacy-focused messenger Signal also have WhatsApp profiles, and every second such profile is public. In the case of Telegram, the contact search service revealed information even about the owners of phone numbers that were not registered in the messenger.
According to experts, the nature of the information disclosed by a contact lookup service depends on the service provider and the user's privacy settings. For example, WhatsApp and Telegram transmit the entire contact list to their servers, while Signal sends only short hashes of phone numbers.
Experts informed the developers of instant messengers about the research results. As a result, WhatsApp improved its defense mechanism to detect such attacks, and Signal developers reduced the number of attempts to request a phone number as a protective measure.