Skip to main content

Mobile Messengers Expose Billions Of Users To Privacy Attacks

When new users install popular mobile messengers (like WhatsApp, Telegram, or Signal), users can start messaging existing contacts based on the mobile numbers stored on their mobile devices instantly. For this, users must allow the app permission to access and transmit their address book to company servers frequently which is called mobile contact discovery.

According to a team of researchers from the Secure Software Systems Group and Privacy Engineering Group, currently deployed contact discovery services highly threaten the privacy of billions of mobile messengers users.

A team of researchers also demonstrated the practical crawling attack on popular mobile messengers like WhatsApp, Telegram, and Signal. And the results of this experiment show that hackers can collect private sensitive data at a very large scale and without significant restrictions by querying mobile contact discovery services for any random mobile numbers

For further study, the team of researchers queried around 10% of all USA's mobile phone numbers for the WhatsApp app and 100% for the Signal app. So, they were able to collect personal information which generally stored in the messenger app's user profiles including profile pic, status, names, and the last online time. 

So, they analyzed this information and reveals some interesting statistics about user behavior. Let's see some of the interesting statistics below : 

  • Only a few users change their messenger app's default privacy settings means most mobile messenger apps are not privacy-friendly at all.
  • Around 50% of WhatsApp app's user in the USA have a public profile picture.
  • Around 90% of WhatsApp app's users in the USA have a public About text.
  • Around 40% of the Signal app's users are also using WhatsApp app and every other of those Signal app's users have a public profile pictures on the WhatsApp app.

So, by tracking such information over time enables hackers to create accurate behavior models of users. And when this information is matched across social media networks and public data sources, third-party can create detailed profiles of users to scam them. 

In the case of Telegram, a team of researchers discovered that telegram's contact discovery service exposes private sensitive information of users of mobile numbers even they are not registered with the service

The private sensitive information which is revealed during the contact discovery and collected via crawling attacks totally depends on the service provider and the privacy settings of the user. Ex. WhatsApp and Telegram upload the user's entire address book to their servers

While privacy-focused messengers app like Signal transmits only short cryptographic hash values of mobile numbers. However, the researchers show that with enhanced attack strategies, the attackers find out corresponding mobile numbers from cryptographic hash values within milliseconds. 

It is important to note that there are no restrictions for signing up with these popular messenger services, any third-party service can create a large number of accounts to collect the user information of a messenger by requesting data for random mobile numbers.

To protect against crawling attacks, all messenger apps users should revisit their privacy settings

A team of researchers reported their findings to the particular messenger service providers. Due to that, WhatsApp has improved its protection strategy such that large-scale attacks can be easily detected and mitigated. And Signal has minimized the numbers of queries to complex crawling. 

A team of researchers also suggested other mitigation strategies include a new contact discovery approach which can be used to decrease the efficiency of attacks.

If you have any questions related to the crawling attacks on popular mobile messengers and also want to share your views on this then please mention in the comments box and I will get back to you. 


Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik