Popular Messenger Services – Such As WhatsApp, Signal, and Telegram – Are Extremely Insecure

Hacking Cybersecurity

WhatsApp, Signal & Co: Billions of users vulnerable to privacy attacks.

Researchers from the Technical University of Darmstadt and the University of Würzburg show that popular mobile messengers expose personal data via discovery services that allow users to find contacts based on phone numbers from their address book.

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A recent study by a team of researchers from the Secure Software Systems Group at the University of Würzburg and the Cryptography and Privacy Engineering Group at TU Darmstadt shows that currently deployed contact discovery services severely threaten the privacy of billions of users. Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram. The results of the experiments demonstrate that malicious users or hackers can collect sensitive data at a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.

Attackers are enabled to build accurate behavior models

For the extensive study, the researchers queried 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts and the “last online” time. The analyzed data also reveals interesting statistics about user behavior. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all. The researchers found that about 50% of WhatsApp users in the US have a public profile picture and 90% a public “About” text. Interestingly, 40% of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp. Tracking such data over time enables attackers to build accurate behavior models. When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example to scam users. For Telegram, the researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service.

Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user. WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers. More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds. Moreover, since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers. “We strongly advise all users of messenger apps to revisit their privacy settings. This is currently the most effective protection against our investigated crawling attacks,” agree Prof. Alexandra Dmitrienko (University of Würzburg) and Prof. Thomas Schneider (TU Darmstadt).

Impact of research results: service providers improve their security measures

The research team reported their findings to the respective service providers. As a result, WhatsApp has improved their protection mechanisms such that large-scale attacks can be detected, and Signal has reduced the number of possible queries to complicate crawling. The researchers also proposed many other mitigation techniques, including a new contact discovery method that could be adopted to further reduce the efficiency of attacks without negatively impacting usability.

All results are described in the paper “All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers”, by Christoph Hagen, Christian Weinert, Christoph Sendner, Alexandra Dmitrienko, Thomas Schneider, which will be presented in February 2021 at the 28. Annual Network and Distributed System Security Symposium (NDSS), a top conference for IT security.
PDF

14 Comments on "Popular Messenger Services – Such As WhatsApp, Signal, and Telegram – Are Extremely Insecure"

  1. Healing is extremely misleading and does not represent the content at all. Shane on you. You’re blocked from my news feed and I hope others do so as well

  2. *headline

  3. Paid promotion of one relatively unknown messenger service

  4. Dominik, the article title was spot on. Did you actually read it? Shame on you for misleading readers. If you’re looking for an alternative to these messengers that doesn’t collect your phone number (nor anything else) on registration, I recommend Status. Cross-platform, highly secure, decentralized, privacy-first.

  5. This article is right on the money. Contact access is the biggest privacy breach victimization a user can experience. It provides these companies with critical info that significantly accelerates the risk of identity theft. And these companies want access to your Contacts bad. Try using Signal w/o providing access to Contacts; the result may surprise you.

  6. No service is private when its main purpose is connecting you with others. This ‘privacy’ nonsense is getting way out of hand.

    The issue here are the people that aee willing to share everything just because.

    If you upload a picture or a status or whatever to the internet with the purpose of sharing but you expect privacy the you’re kind of dumb…

  7. No service is private when its main purpose is connecting you with others. This ‘privacy’ nonsense is getting way out of hand.

    The issue here are the people that aee willing to share everything just because.

    If you upload a picture or a status or whatever to the internet with the purpose of sharing but you expect privacy then you’re kind of dumb…

  8. If you were able to break Telegram cryptography, then go claim your 300k USD from them.

  9. Nicely put. However, privacy protection eventhough so much being discussed, is not well understood by most population. The biggest security flaw is the human. 8)

  10. This article is total crap. Notice that they didn’t include figures for Telegram, because Telegram limits the rate at which you can look up contacts by phone number. This is to stop the Chinese government from doing exactly what they did for Hong Kong phone numbers.

    Didn’t even mention that Signal alone has had its code and protocol audited, and Telegram is open-source and has a substantial bounty for any vulnerabilities.

  11. “An Expert”, what you wrote about Telegram is literally right there in the article. You’re an expert at knee-jerk reactions.

    VED, every messenger app mentioned here is used by literally millions of people every single day. If that qualifies as “relatively unknown”, you probably only interact with people who don’t download messaging apps in the first place.

    majeh, you probably shouldn’t comment on literally anything on the Internet (especially news/security posts) if your response to someone disliking your app is to whine like a 12 year old. We won’t have to see your comments here again, though… so thanks for blocking this from your news feed!

    John: it’s “kind of dumb” (as you so eloquently put it) to believe that you have to give up your privacy just to share content online. In fact, if you had read the handful of comments before posting your own, you’d see that I posted the name of an app which lets you do just that. It won’t work so well if you share personally identifiable information like a photo of your government-issued ID, but it works great in most other cases. Do some reading before you decide that you have to give up all your privacy to use free services.

    It feels like the people who disliked this article are fanboys who didn’t even bother to read most of the article before slamming it.

  12. never use whatsapp or other messengers, they are watching you. Use messengers on p2p networks, like the Utopia ecosystem, then no one will find your correspondence

  13. Signal is “highly insecure” because someone can tell if I have an account with it tied to my phone #? Clickbait garbage and blocked from my feed.

  14. Everything is correct. Personally, I think that it is imperative to protect children on the Internet and social networks.

Leave a comment

Email address is optional. If provided, your email will not be published or shared.