Billions of people around the globe rely on their favorite messaging apps to communicate with their family members, friends and colleagues.
And most likely, the app of their choice would be either WhatsApp, Signal, Telegram or a few others. And researchers here have discovered that those apps are technically vulnerable and extremely unsafe.
Researchers from the Technical University of Darmstadt and the University of Würzburg found that WhatsApp, Signal and Telegram, which are a few of the most popular mobile messaging apps, expose personal data through their services that allow users to find contacts based on phone numbers stored inside their address book.
For example, when installing a mobile messenger like WhatsApp, new users can instantly see their contacts and instantly chat with them straight away. This is because WhatsApp uploads users' contacts that to its servers, and match the entries with what it already has.
But before that can happen, WhatsApp needs permission to access users' contact and regularly upload the entries to its servers.
This process is called 'mobile contact discovery'. And this is where the problem resides.
The researchers show that the mobile contact discovery services is a huge privacy issue for billions of people.
They have proven this by performing practical crawling attacks on popular messaging apps like WhatsApp, Signal and Telegram, to collect sensitive data at a large scale. The researchers managed to do this by only utilizing very few resources.
Depending on the privacy settings of users, the results of the crawling showed querying contact discovery services for random phone numbers from the three apps expose data with less to no restriction.
In a more extensive study, the researchers found that they were able to gather personal (meta) data from those messenger apps, that include user profiles, profile pictures, nicknames, status texts, and "last online" time.
The data don't stop there. The researchers also discovered that they can see statistics about users.
For example, they found that very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.
In case of users in the U.S., the researchers found that about 50% of WhatsApp users in the country have a public profile picture and 90% a public “About” text. As for users of Signal, which are most likely care more about their privacy, the researchers found that 40% of them are also WhatsApp users.
And those Signal users have public profiles in that are also on WhatsApp.
This kind of data, if gathered in a large number, can be used to build a behavioral model, which could then be used to pinpoint users.
And when the data is matched across social media networks and public data sources like search engines, malicious actors can build even more detailed profiles.
The researchers found that both WhatsApp and Telegram upload users' entire address book to their servers. Signal however, only transfers short cryptographic hash values of phone numbers or rely on trusted hardware.
Worse is on Telegram. The researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not yet registered with the service.
“We strongly advise all users of messenger apps to revisit their privacy settings. This is currently the most effective protection against our investigated crawling attacks,” said Prof. Alexandra Dmitrienko from the University of Würzburg) and Prof. Thomas Schneider from Technical University of Darmstadt.
The research team reported their findings to the respective service providers. In respond, the popular messaging apps have improved their protection to thwart such large-scale attacks.
The researchers findings are described in a paper titled “All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers”, by Christoph Hagen, Christian Weinert, Christoph Sendner, Alexandra Dmitrienko, Thomas Schneider.