Home Technology WhatsApp, Telegram messengers are extremely insecure: Study

WhatsApp, Telegram messengers are extremely insecure: Study

Popular mobile messengers like WhatsApp expose personal data via discovery services that allow users to find contacts based on phone numbers from their address book, say, researchers.

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device.

For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery.

The study from the Technical University of Darmstadt and the University of Würzburg in Germany shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram.

The results of the experiments demonstrate that malicious users or hackers can collect sensitive data on a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.

For the study, the researchers queried 10 percent of all US mobile phone numbers for WhatsApp and 100 percent for Signal.

Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts, and the “last online” time.

The analyzed data also reveals interesting statistics about user behavior. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.

The researchers found that about 50 percent of WhatsApp users in the US has a public profile picture and 90 percent a public “About” text.

Interestingly, 40 percent of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp.

Tracking such data over time enables attackers to build accurate behavior models.

When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example, to scam users.

For Telegram, the researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service.

“Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user,” the researchers wrote.

Since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers.

“We strongly advise all users of messenger apps to revisit their privacy settings,” the team said.

The study is scheduled to be released in February 2021 at the 28th Annual Network and Distributed System Security Symposium (NDSS), a top conference for IT security.

Most Popular

DC win toss and bowl against SRH, Ishant Sharma returns

Delhi Capitals won the toss and chose to bowl first against Sunrisers Hyderabad at the Sheikh Zayed Stadium in Abu Dhabi on Tuesday. DC...

IAMAI calls meet over new Google Play Store payment system

With the developers and payment gateway players criticising new Google in-app purchase policies where those using Play Store to sell digital services will be...

Chinese espionage case: Delhi court denies bail to journalist

A Delhi court on Tuesday dismissed the bail application filed by freelance journalist Rajeev Sharma, who was arrested for allegedly working for Chinese intelligence. Denying...

Actor Sonu Sood honoured by UNDP

Actor Sonu Sood has been honoured with the prestigious SDG Special Humanitarian Action Award by the United Nations Development Programme (UNDP), for helping thousands...
FMIM Ad