Skip to main content

Mobile Messengers Expose Billions Of Users To Privacy Attacks


When new users install popular mobile messengers (like WhatsApp, Telegram, or Signal), users can start messaging existing contacts based on the mobile numbers stored on their mobile devices instantly. For this, users must allow the app permission to access and transmit their address book to company servers frequently which is called mobile contact discovery.

According to a team of researchers from the Secure Software Systems Group and Privacy Engineering Group, currently deployed contact discovery services highly threaten the privacy of billions of mobile messengers users.

A team of researchers also demonstrated the practical crawling attack on popular mobile messengers like WhatsApp, Telegram, and Signal. And the results of this experiment show that hackers can collect private sensitive data at a very large scale and without significant restrictions by querying mobile contact discovery services for any random mobile numbers

For further study, the team of researchers queried around 10% of all USA's mobile phone numbers for the WhatsApp app and 100% for the Signal app. So, they were able to collect personal information which generally stored in the messenger app's user profiles including profile pic, status, names, and the last online time. 

So, they analyzed this information and reveals some interesting statistics about user behavior. Let's see some of the interesting statistics below : 

  • Only a few users change their messenger app's default privacy settings means most mobile messenger apps are not privacy-friendly at all.
  • Around 50% of WhatsApp app's user in the USA have a public profile picture.
  • Around 90% of WhatsApp app's users in the USA have a public About text.
  • Around 40% of the Signal app's users are also using WhatsApp app and every other of those Signal app's users have a public profile pictures on the WhatsApp app.

So, by tracking such information over time enables hackers to create accurate behavior models of users. And when this information is matched across social media networks and public data sources, third-party can create detailed profiles of users to scam them. 

In the case of Telegram, a team of researchers discovered that telegram's contact discovery service exposes private sensitive information of users of mobile numbers even they are not registered with the service

The private sensitive information which is revealed during the contact discovery and collected via crawling attacks totally depends on the service provider and the privacy settings of the user. Ex. WhatsApp and Telegram upload the user's entire address book to their servers

While privacy-focused messengers app like Signal transmits only short cryptographic hash values of mobile numbers. However, the researchers show that with enhanced attack strategies, the attackers find out corresponding mobile numbers from cryptographic hash values within milliseconds. 

It is important to note that there are no restrictions for signing up with these popular messenger services, any third-party service can create a large number of accounts to collect the user information of a messenger by requesting data for random mobile numbers.

To protect against crawling attacks, all messenger apps users should revisit their privacy settings

A team of researchers reported their findings to the particular messenger service providers. Due to that, WhatsApp has improved its protection strategy such that large-scale attacks can be easily detected and mitigated. And Signal has minimized the numbers of queries to complex crawling. 

A team of researchers also suggested other mitigation strategies include a new contact discovery approach which can be used to decrease the efficiency of attacks.

If you have any questions related to the crawling attacks on popular mobile messengers and also want to share your views on this then please mention in the comments box and I will get back to you. 

Comments

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik

WARNING — These Six ‘Dangerous’ Android Apps With 1.66 Billion Downloads Need To Be Uninstalled

Privacy and security research firm VPNpro has discovered six dangerous Android antivirus apps that have a total of 1.66 billion downloads available in the Google Play Store. These six free Android antivirus apps ask users to explicitly agree for dangerous permissions that they are not required to operate . And there is simply no legitimate reason for them to do so. Downloading these antivirus apps has resulted in putting users themselves as well as all of their precious data at risk. So, my advice here is pretty straightforward. Even if you are installing an antivirus app from Google Play Store, make sure it is a well-known brand and you are familiar with the permission is required to operate on. Downloading free apps onto Android devices is always a risk, especially if they are from unknown developers. Free Antivirus apps  –  Dangerous Permissions These six Android antivirus apps asking for dangerous permissions such as access to the microphone, camera, making call