Popular mobile messengers disclose personal data of users through services that allow you to find contacts by phone numbers stored in an address book, according to a joint team of researchers from the University of Würzburg and the Technical University of Darmstadt.
When installing a mobile messenger, such as WhatsApp, new users can immediately send messages to existing contacts contained in the phone. To do this, you will need to allow the application to access the contact list and constantly download the address book data to the company's servers.
Using a small amount of resources, the researchers parsed the popular messengers WhatsApp, Signal and Telegram and came to disappointing conclusions.
As it turned out, using services to search for contacts by random numbers, attackers can collect large amounts of important data. As part of the study, specialists through contact search services checked 10% of the numbers of WhatsApp users in the United States and 100% of the numbers of Signal users. In this way, they were able to collect personal metadata, usually contained in the profiles of messenger users, including profile pictures, nicknames, status data and the time of the last time they were online.
Analysis of the data revealed interesting aspects of user behavior, for example, only a few changed the default privacy settings, which in most instant messengers pose a risk to users.
It also found that approximately 50% of WhatsApp users have a public profile picture, and 90% of users do not hide information in the About section. At the same time, 40% of users of the privacy-focused messenger Signal also have WhatsApp profiles, and every second such profile is public. In the case of Telegram, the contact search service revealed information even about the owners of phone numbers that were not registered in the messenger.
According to experts, the nature of the information disclosed by the contact lookup service depends on the service provider and the user's privacy settings. For example, WhatsApp and Telegram transmit the entire list of contacts to their servers, while Signal sends only short hashes of phone numbers.
Experts informed the developers of instant messengers about the results of the study. As a result, WhatsApp improved its defense mechanism to detect such attacks, and Signal developers reduced the number of attempts to request a phone number as a protective measure.
