When new users install popular mobile messengers (like WhatsApp, Telegram, or Signal), users can start messaging existing contacts based on the mobile numbers stored on their mobile devices instantly. For this, users must allow the app permission to access and transmit their address book to company servers frequently which is called mobile contact discovery.
According to a team of researchers from the Secure Software Systems Group and Privacy Engineering Group, currently deployed contact discovery services highly threaten the privacy of billions of mobile messengers users.
A team of researchers also demonstrated the practical crawling attack on popular mobile messengers like WhatsApp, Telegram, and Signal. And the results of this experiment show that hackers can collect private sensitive data at a very large scale and without significant restrictions by querying mobile contact discovery services for any random mobile numbers.
For further study, the team of researchers queried around 10% of all USA's mobile phone numbers for the WhatsApp app and 100% for the Signal app. So, they were able to collect personal information which generally stored in the messenger app's user profiles including profile pic, status, names, and the last online time.
So, they analyzed this information and reveals some interesting statistics about user behavior. Let's see some of the interesting statistics below :
- Only a few users change their messenger app's default privacy settings means most mobile messenger apps are not privacy-friendly at all.
- Around 50% of WhatsApp app's user in the USA have a public profile picture.
- Around 90% of WhatsApp app's users in the USA have a public About text.
- Around 40% of the Signal app's users are also using WhatsApp app and every other of those Signal app's users have a public profile pictures on the WhatsApp app.
So, by tracking such information over time enables hackers to create accurate behavior models of users. And when this information is matched across social media networks and public data sources, third-party can create detailed profiles of users to scam them.
In the case of Telegram, a team of researchers discovered that telegram's contact discovery service exposes private sensitive information of users of mobile numbers even they are not registered with the service.
The private sensitive information which is revealed during the contact discovery and collected via crawling attacks totally depends on the service provider and the privacy settings of the user. Ex. WhatsApp and Telegram upload the user's entire address book to their servers.
While privacy-focused messengers app like Signal transmits only short cryptographic hash values of mobile numbers. However, the researchers show that with enhanced attack strategies, the attackers find out corresponding mobile numbers from cryptographic hash values within milliseconds.
It is important to note that there are no restrictions for signing up with these popular messenger services, any third-party service can create a large number of accounts to collect the user information of a messenger by requesting data for random mobile numbers.
To protect against crawling attacks, all messenger apps users should revisit their privacy settings.
A team of researchers reported their findings to the particular messenger service providers. Due to that, WhatsApp has improved its protection strategy such that large-scale attacks can be easily detected and mitigated. And Signal has minimized the numbers of queries to complex crawling.
A team of researchers also suggested other mitigation strategies include a new contact discovery approach which can be used to decrease the efficiency of attacks.
If you have any questions related to the crawling attacks on popular mobile messengers and also want to share your views on this then please mention in the comments box and I will get back to you.