Billions of WhatsApp and Signal users are vulnerable to attack

Researchers at the University of Würzburg and the Technical University of Darmstadt have found that popular mobile messengers expose its users personal data. This vulerability has to do with the platforms’ discovery services that let people locate contacts with their phone numbers.

When a user installs a WhatsApp and most other messengers, new users are allowed to start texting anyone that is in their phones contacts, rather than the other person having to accept that request. To make this happen, users have to allow the apps to access and their address book an upload it to the company’s server. This process is called ‘mobile contact discovery’. The Cryptography and Privacy Engineering Group at TU Darmstadt performed the study alongside researchers from the Secure Software Systems Group at the University of Würzburg. Their findings showed that contact discovery services pose a serious threat to literally billions of users. The teams were able to perform crawling attacks on popular messengers with ease, and these are no small companies. We are talking about popular messengers like Signal, WhatsApp, and Telegram.

The study was comprehensive. The researchers were able to gather the data off 100% of Signal phone numbers and 10% of US phone numbers for WhatsApp’s US userbase. The team was able to easily harvest the metadata stored in a messaging service’s user profile. Some of the types of data include nicknames, profile pictures, status texts, and the ‘last online’ active status. The data also shows some userbase patterns that are rather interesting. For example, very few users bother to change their default privacy settings. Most messengers low-security default settings that leaves a new user vulnerable.

About 50% of US users of WhatsApp have a public profile picture and 90% of users have a public ‘About’ text. Another important detail is that 40% of Signal users also use WhatsApp, and almost all of those Signal users have a public profile picture on WhatsApp. If a hacker tracked that data over a period of time, they would be able to build a working model of a potential victim’s behavioral pattern. Then, they could cross-reference that data with social networks and other public sources to gain access to much more sensitive information. In Telegram’s case, the team saw that its contact discovery service exposes even more sensitive information like users’ phone numbers.

Leave a Reply

Your email address will not be published. Required fields are marked *