The research team reported their findings to the respective service providers. Impact of research results: service providers improve their security measures Alexandra Dmitrienko (University of Würzburg) and Prof. This is currently the most effective protection against our investigated crawling attacks,” agree Prof. “We strongly advise all users of messenger apps to revisit their privacy settings. Moreover, since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds.
More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers. Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user. For Telegram, the researchers found that its contact discovery service exposes a count of potential contacts for owners of phone numbers who are not even registered with the service.
When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example to scam users. Tracking such data over time enables attackers to build accurate behavior models. Interestingly, 40% of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp. The researchers found that about 50% of WhatsApp users in the US have a public profile picture and 90% a public “About” text. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all. The analyzed data also reveals interesting statistics about user behavior. Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts and the “last online” time. The results of the experiments demonstrate that malicious users or hackers can collect sensitive data at a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.Īttackers are enabled to build accurate behavior modelsįor the extensive study, the researchers queried 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram.
Signal private contact discovery software#
A recent study by a team of researchers from the Secure Software Systems Group at the University of Würzburg and the Cryptography and Privacy Engineering Group at TU Darmstadt shows that currently deployed contact discovery services severely threaten the privacy of billions of users. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device.
0 kommentar(er)
