skip to main content
research-article

Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations

Published:07 November 2022Publication History
Skip Abstract Section

Abstract

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations.

Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram, we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings.

Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR,” we can iterate through the entire worldwide mobile phone number space in < 150 s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest.

Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.

REFERENCES

  1. [1] Affinityclick. 2013. Hushed - Private Phone Numbers, Talk and Text. Retrieved from https://hushed.com/.Google ScholarGoogle Scholar
  2. [2] Aftab Parry. 2014. Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA). Retrieved from https://parryaftab.blogspot.com/2014/03/what-does-whatsapp-collect-that.html.Google ScholarGoogle Scholar
  3. [3] Albrecht Martin, Mareková Lenka, Paterson Kenneth, and Stepanovs Igors. 2022. Four attacks and a proof for Telegram. In IEEE Symposium on Security and Privacy (S&P). IEEE.Google ScholarGoogle Scholar
  4. [4] SRT Backes. 2013. WhatsBox - GDPR Compliant WhatsApp. Retrieved from https://www.backes-srt.com/en/solutions-2/whatsbox/.Google ScholarGoogle Scholar
  5. [5] Balduzzi Marco, Platzer Christian, Holz Thorsten, Kirda Engin, Balzarotti Davide, and Kruegel Christopher. 2010. Abusing social networks for automated user profiling. In Recent Advances in Intrusion Detection (RAID). Springer, 422441.Google ScholarGoogle Scholar
  6. [6] Bilge Leyla, Strufe Thorsten, Balzarotti Davide, and Kirda Engin. 2009. All your contacts are belong to us: Automated identity theft attacks on social networks. In International Conference on World Wide Web (WWW). ACM, 551560.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. [7] Biryukov Alex, Dinu Daniel, and Khovratovich Dmitry. 2016. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 292302.Google ScholarGoogle Scholar
  8. [8] BitWeasil. 2012. Cryptohaze. Retrieved from http://www.cryptohaze.com.Google ScholarGoogle Scholar
  9. [9] Buchenscheit Andreas, Könings Bastian, Neubert Andreas, Schaub Florian, Schneider Matthias, and Kargl Frank. 2014. Privacy implications of presence sharing in mobile messaging applications. In International Conference on Mobile and Ubiquitous Multimedia. ACM, 2029.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Bulck Jo Van, Minkin Marina, Weisse Ofir, Genkin Daniel, Kasikci Baris, Piessens Frank, Silberstein Mark, Wenisch Thomas F., Yarom Yuval, and Strackx Raoul. 2018. Foreshadow: Extracting the keys to the Intel SGX Kingdom with transient out-of-order execution. In USENIX Security Symposium. USENIX Association, 9911008.Google ScholarGoogle Scholar
  11. [11] Canales Katie. 2021. Hackers Scraped Data from 500 Million LinkedIn Users. Retrieved from https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4.Google ScholarGoogle Scholar
  12. [12] Canales Katie. 2021. Scraped Personal Data of 1.3 Million Clubhouse Users Has Reportedly Leaked Online. Retrieved from https://www.businessinsider.com/clubhouse-data-leak-1-million-users-2021-4.Google ScholarGoogle Scholar
  13. [13] Chen Hao, Huang Zhicong, Laine Kim, and Rindal Peter. 2018. Labeled PSI from fully homomorphic encryption with malicious security. In ACM Conference on Computer and Communications Security (CCS). ACM, 12231237.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. [14] Chen Hao, Laine Kim, and Rindal Peter. 2017. Fast private set intersection from homomorphic encryption. In ACM Conference on Computer and Communications Security (CCS). ACM, 12431255.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. [15] Cheng Yao, Ying Lingyun, Jiao Sibei, Su Purui, and Feng Dengguo. 2013. Bind your phone number with caution: Automated user profiling through address book matching on smartphone. In ACM ASIA Conference on Computer and Communications Security (ASIACCS). ACM, 335340.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. [16] Chu Howard. 2015. LMDB Website. Retrieved from http://www.lmdb.tech/doc/.Google ScholarGoogle Scholar
  17. [17] Church Karen and Oliveira Rodrigo de. 2013. What’s up with WhatsApp? Comparing mobile instant messaging behaviors with traditional SMS. In Human-Computer Interaction with Mobile Devices and Services (MobileHCI). ACM, 352361.Google ScholarGoogle Scholar
  18. [18] Cimpanu Catalin. 2019. Hong Kong Protesters Warn of Telegram Feature that Can Disclose Their Identities. Retrieved from https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/.Google ScholarGoogle Scholar
  19. [19] Clark Mike. 2021. The Facts on News Reports about Facebook Data. Retrieved from https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/.Google ScholarGoogle Scholar
  20. [20] Clement J.. 2019. Most Popular Global Mobile Messenger Apps. Retrieved from https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps.Google ScholarGoogle Scholar
  21. [21] Clement J.. 2019. Most Popular Mobile Messaging Apps in the United States as of June 2019. Retrieved from https://www.statista.com/statistics/350461/mobile-messenger-app-usage-usa/.Google ScholarGoogle Scholar
  22. [22] Clement J.. 2019. Number of WhatsApp Users in the United States from 2019 to 2023. Retrieved from https://www.statista.com/statistics/558290/number-of-whatsapp-users-usa/.Google ScholarGoogle Scholar
  23. [23] Comer Douglas. 1979. Ubiquitous B-tree. Comput. Surv. 11, 2 (June 1979), 121137.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. [24] Inc. Confide2022. Confide Privacy Policy. Retrieved from https://getconfide.com/privacy.Google ScholarGoogle Scholar
  25. [25] Cong Kelong, Moreno Radames Cruz, Gama Mariana Botelho da, Dai Wei, Iliashenko Ilia, Laine Kim, and Rosenberg Michael. 2021. Labeled PSI from homomorphic encryption with reduced computation and communication. In ACM Conference on Computer and Communications Security (CCS). ACM, 11351150.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. [26] Constine Josh. 2018. WhatsApp Hits 1.5 Billion Monthly Users. $19B? Not So Bad. Retrieved from https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-monthly-users-19b-not-so-bad/.Google ScholarGoogle Scholar
  27. [27] Cox Joseph. 2017. Building a Database of WhatsApp Users Can Be Pretty Easy. Retrieved from https://www.vice.com/en/article/wnw4vw/building-a-database-of-whatsapp-users-can-be-pretty-easy.Google ScholarGoogle Scholar
  28. [28] Demir Levent, Kumar Amrit, Cunche Mathieu, and Lauradoux Cédric. 2018. The pitfalls of hashing for privacy. IEEE Commun. Surv. Tutor. 20, 1 (2018), 551565.Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Welle Deutsche. 2019. New EU Data Law Forces Firms to Ban WhatsApp, Snapchat from Phones. Retrieved from https://www.dw.com/en/new-eu-data-law-forces-firms-to-ban-whatsapp-snapchat-from-phones/a-44076861.Google ScholarGoogle Scholar
  30. [30] Doffman Zak. 2019. New WhatsApp Threat Confirmed: Android and iOS Users at Risk from Malicious Video Files. Retrieved from https://www.forbes.com/sites/zakdoffman/2019/11/16/new-whatsapp-threat-confirmed-android-and-ios-users-at-risk-from-malicious-video-files/.Google ScholarGoogle Scholar
  31. [31] Doffman Zak. 2021. Apple’s iMessage Safety Update Is a Major Change for iPhone Privacy. Retrieved from https://www.forbes.com/sites/zakdoffman/2021/11/13/apples-billion-iphone-users-shock-imessage-update-after-security-warnings/.Google ScholarGoogle Scholar
  32. [32] Dost Meredith and McGeeney Kyley. 2016. Moving without Changing Your Cellphone Number: A Predicament for Pollsters. Retrieved from https://www.pewresearch.org/methods/2016/08/01/moving-without-changing-your-cellphone-number-a-predicament-for-pollsters/.Google ScholarGoogle Scholar
  33. [33] Durov Pavel. 2020. 400 Million Users, 20,000 Stickers, Quizzes 2.0 and 400K EUR for Creators of Educational Tests. Retrieved from https://telegram.org/blog/400-million.Google ScholarGoogle Scholar
  34. [34] Estrada Jose. 2018. WhatsApp Scraping. Retrieved from https://github.com/JMGama/WhatsApp-Scraping.Google ScholarGoogle Scholar
  35. [35] Inc. Facebook2020. Two Billion Users — Connecting the World Privately. Retrieved from https://about.fb.com/news/2020/02/two-billion-users/.Google ScholarGoogle Scholar
  36. [36] Google. 2010. Google’s Common Java, C++ and JavaScript Library for Parsing, Formatting, and Validating International Phone Numbers. Retrieved from https://github.com/google/libphonenumber.Google ScholarGoogle Scholar
  37. [37] Google. 2022. I’m Getting a Contacts Error - Contacts Help. Retrieved from https://support.google.com/contacts/answer/148779.Google ScholarGoogle Scholar
  38. [38] Gupta Srishti. 2016. Emerging threats abusing phone numbers exploiting cross-platform features. In International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 13391341.Google ScholarGoogle ScholarCross RefCross Ref
  39. [39] Gupta Srishti, Gupta Payas, Ahamad Mustaque, and Kumaraguru Ponnurangam. 2016. Exploiting phone numbers and cross-application features in targeted mobile attacks. In Workshop on Security and Privacy in Smartphones and Mobile Devices ([email protected]). ACM, 7382.Google ScholarGoogle Scholar
  40. [40] Hagen Christoph, Weinert Christian, Sendner Christoph, Dmitrienko Alexandra, and Schneider Thomas. 2021. All the numbers are US: Large-scale abuse of contact discovery in mobile messengers. In Network & Distributed System Security Symposium (NDSS). Internet Society.Google ScholarGoogle Scholar
  41. [41] Hatzivasilis George. 2017. Password-hashing status. Cryptography 1, 2 (2017), 10.Google ScholarGoogle ScholarCross RefCross Ref
  42. [42] Heinrich Alexander, Hollick Matthias, Schneider Thomas, Stute Milan, and Weinert Christian. 2021. AirCollect: Efficiently recovering hashed phone numbers leaked via Apple AirDrop. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec). ACM, 371373. Retrieved from https://ia.cr/2021/893.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. [43] Heinrich Alexander, Hollick Matthias, Schneider Thomas, Stute Milan, and Weinert Christian. 2021. PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop. In USENIX Security Symposium. USENIX Association, 35773594. Retrieved from https://ia.cr/2021/481.Google ScholarGoogle Scholar
  44. [44] Hellman Martin. 1980. A cryptanalytic time-memory trade-off. Trans. Inf. Theor. 26, 4 (1980), 401406.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. [45] Holmes Aaron. 2021. 533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online. Retrieved from https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.Google ScholarGoogle Scholar
  46. [46] Hu Hang, Peng Peng, and Wang Gang. 2019. Characterizing pixel tracking through the lens of disposable email services. In IEEE Symposium on Security and Privacy (S&P). IEEE, 365379.Google ScholarGoogle Scholar
  47. [47] Hubail Ali. 2015. Interface to WhatsApp Messenger—Fed up with the F**king Legal Threats. Retrieved from https://github.com/venomous0x/WhatsAPI.Google ScholarGoogle Scholar
  48. [48] inAudible-NG. 2017. RainbowCrack-NG: Free and Open-Source Software to Generate and Use Rainbow Tables. Retrieved from https://github.com/inAudible-NG/RainbowCrack-NG.Google ScholarGoogle Scholar
  49. [49] Sector ITU Telecommunication Standardization. 2022. National Numbering Plans. Retrieved from https://www.itu.int/oth/T0202.aspx?parent=T0202.Google ScholarGoogle Scholar
  50. [50] Kales Daniel, Rechberger Christian, Senker Matthias, Schneider Thomas, and Weinert Christian. 2019. Mobile private contact discovery at scale. In USENIX Security Symposium. USENIX Association, 14471464. Retrieved from https://ia.cr/2019/517.Google ScholarGoogle Scholar
  51. [51] Kelly Samantha Murphy. 2021. Yes, You Are Getting Lots of Robocalls Again. Retrieved from https://edition.cnn.com/2021/03/04/tech/robocalls-pre-pandemic-levels/index.html.Google ScholarGoogle Scholar
  52. [52] Kim Eunhyun, Park Kyungwon, Kim Hyoungshick, and Song Jaeseung. 2014. I’ve got your number: - harvesting users’ personal data via contacts sync for the KakaoTalk messenger. In Workshop on Information Security Applications (WISA). Springer, 5567.Google ScholarGoogle Scholar
  53. [53] Kim Eunhyun, Park Kyungwon, Kim Hyoungshick, and Song Jaeseung. 2015. Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk. Comput. Secur. 52 (2015), 267275.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. [54] Kim Jinwoo, Kim Kuyju, Cho Junsung, Kim Hyoungshick, and Schrittwieser Sebastian. 2017. Hello, Facebook! Here is the stalkers’ paradise!: Design and analysis of enumeration attack using phone numbers on Facebook. In Information Security Practice and Experience. Springer, 663677.Google ScholarGoogle Scholar
  55. [55] Kiss Ágnes, Liu Jian, Schneider Thomas, Asokan N., and Pinkas Benny. 2017. Private set intersection for unequal set sizes with mobile applications. Proc. Priv. Enhanc. Technol. 2017, 4 (2017), 177197.Google ScholarGoogle ScholarCross RefCross Ref
  56. [56] Kloeze Loran. 2017. Collecting Huge Amounts of Data with WhatsApp. Retrieved from https://www.lorankloeze.nl/2017/05/07/collecting-huge-amounts-of-data-with-whatsapp/.Google ScholarGoogle Scholar
  57. [57] Kolesnikov Vladimir, Kumaresan Ranjit, Rosulek Mike, and Trieu Ni. 2016. Efficient batched oblivious PRF with applications to private set intersection. In ACM Conference on Computer and Communications Security (CCS). ACM, 818829.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. [58] Lepkowski James M.. 2011. Telephone sampling: Frames and selection techniques. In International Encyclopedia of Statistical Science. Springer, 15851586.Google ScholarGoogle ScholarCross RefCross Ref
  59. [59] Lund Joshua. 2017. Encrypted Profiles for Signal Now in Public Beta. Retrieved from https://signal.org/blog/signal-profiles-beta/.Google ScholarGoogle Scholar
  60. [60] Lund Joshua. 2018. Technology Preview: Sealed Sender for Signal. Retrieved from https://signal.org/blog/sealed-sender/.Google ScholarGoogle Scholar
  61. [61] Lund Joshua. 2019. Signal-Server. Retrieved from https://github.com/signalapp/Signal-Server.Google ScholarGoogle Scholar
  62. [62] Lund Joshua. 2019. Technology Preview for Secure Value Recovery. Retrieved from https://signal.org/blog/secure-value-recovery/.Google ScholarGoogle Scholar
  63. [63] Marlinspike Moxie. 2014. The Difficulty of Private Contact Discovery. Retrieved from https://signal.org/blog/contact-discovery/.Google ScholarGoogle Scholar
  64. [64] Marlinspike Moxie. 2017. Technology Preview: Private Contact Discovery for Signal. Retrieved from https://signal.org/blog/private-contact-discovery.Google ScholarGoogle Scholar
  65. [65] Marx Matthias, Zimmer Ephraim, Mueller Tobias, Blochberger Maximilian, and Federrath Hannes. 2018. Hashing of personally identifiable information is not sufficient. In Sicherheit. Gesellschaft für Informatik e.V., 5568.Google ScholarGoogle Scholar
  66. [66] Messenger Signal. 2020. Introducing Signal PINs. Retrieved from https://signal.org/blog/signal-pins/.Google ScholarGoogle Scholar
  67. [67] Mönnich Adrian. 2010. Flask. Retrieved from https://palletsprojects.com/p/flask.Google ScholarGoogle Scholar
  68. [68] Motoyama Marti, Levchenko Kirill, Kanich Chris, McCoy Damon, Voelker Geoffrey M., and Savage Stefan. 2010. Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In USENIX Security Symposium. USENIX Association, 435462. Retrieved from http://www.usenix.org/events/sec10/tech/full_papers/Motoyama.pdf.Google ScholarGoogle Scholar
  69. [69] Mueller Robin, Schrittwieser Sebastian, Frühwirt Peter, Kieseberg Peter, and Weippl Edgar R.. 2014. What’s new with WhatsApp & Co.? Revisiting the security of smartphone messaging applications. In Information Integration and Web-based Applications & Services. ACM, 142151.Google ScholarGoogle Scholar
  70. [70] Oechslin Philippe. 2003. Making a faster cryptanalytic time-memory trade-off. In CRYPTO. Springer, 617630.Google ScholarGoogle Scholar
  71. [71] Union Official Journal of the European. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.Google ScholarGoogle Scholar
  72. [72] OpenMP. 2022. The OpenMP API Specification for Parallel Programming. Retrieved from https://www.openmp.org.Google ScholarGoogle Scholar
  73. [73] Foundation OpenSSL Software. 2022. OpenSSL: Cryptography and SSL/TLS Toolkit. Retrieved from https://www.openssl.org.Google ScholarGoogle Scholar
  74. [74] Openwall. 2022. John the Ripper Password Cracker. Retrieved from https://www.openwall.com/john/.Google ScholarGoogle Scholar
  75. [75] Pinkas Benny, Rosulek Mike, Trieu Ni, and Yanai Avishay. 2019. SpOT-light: Lightweight private set intersection from sparse OT extension. In Advances in Cryptology – CRYPTO 2019. Springer, 401431.Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. [76] Pinkas Benny, Schneider Thomas, Segev Gil, and Zohner Michael. 2015. Phasing: Private set intersection using permutation-based hashing. In USENIX Security Symposium. USENIX Association, 515530.Google ScholarGoogle Scholar
  77. [77] Pinkas Benny, Schneider Thomas, Weinert Christian, and Wieder Udi. 2018. Efficient circuit-based PSI via Cuckoo hashing. In EUROCRYPT. Springer, 125157. Retrieved from https://ia.cr/2018/120.Google ScholarGoogle Scholar
  78. [78] Pinkas Benny, Schneider Thomas, and Zohner Michael. 2014. Faster private set intersection based on OT extension. In USENIX Security Symposium. USENIX Association, 797812.Google ScholarGoogle Scholar
  79. [79] Pinkas Benny, Schneider Thomas, and Zohner Michael. 2018. Scalable private set intersection based on OT extension. Trans. Priv. Secur. 21, 2 (2018), 7:1–7:35.Google ScholarGoogle Scholar
  80. [80] J Sebin P.. 2017. WhatsApp Crawler. Retrieved from https://gitlab.com/jishnutp/whatsapp-crawler.Google ScholarGoogle Scholar
  81. [81] Porter Jon. 2020. Signal Becomes European Commission’s Messaging App of Choice in Security Clampdown. Retrieved from https://www.theverge.com/2020/2/24/21150918/european-commission-signal-encrypted-messaging.Google ScholarGoogle Scholar
  82. [82] Provos Niels and Mazières David. 1999. A future-adaptable password scheme. In USENIX Annual Technical Conference (ATC). USENIX Association, 8191.Google ScholarGoogle Scholar
  83. [83] Project RainbowCrack. 2022. List of Rainbow Tables. Retrieved from http://project-rainbowcrack.com/table.htm.Google ScholarGoogle Scholar
  84. [84] Project RainbowCrack. 2022. RainbowCrack. Retrieved from http://project-rainbowcrack.com/.Google ScholarGoogle Scholar
  85. [85] Rashidi Yasmeen, Vaniea Kami, and Camp L. Jean. 2016. Understanding saudis’ privacy concerns when using WhatsApp. In Workshop on Usable Security (USEC). Internet Society.Google ScholarGoogle Scholar
  86. [86] Sanfilippo Salvatore. 2022. Redis Commands - GET. Retrieved from https://redis.io/commands/get.Google ScholarGoogle Scholar
  87. [87] Sanfilippo Salvatore. 2022. Redis Website. Retrieved from https://redis.io/.Google ScholarGoogle Scholar
  88. [88] Schrittwieser Sebastian, Frühwirt Peter, Kieseberg Peter, Leithner Manuel, Mulazzani Martin, Huber Markus, and Weippl Edgar R.. 2012. Guess who’s texting you? Evaluating the security of smartphone messaging applications. In Network & Distributed System Security Symposium (NDSS). Internet Society.Google ScholarGoogle Scholar
  89. [89] Secrets Scattered. 2020. Bcrypt Password Cracking Extremely Slow? Not If You Are Using Hundreds of FPGAs! Retrieved from https://scatteredsecrets.medium.com/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6.Google ScholarGoogle Scholar
  90. [90] Erlangen-Nürnberg Security Research Group FAU. 2014. Online Status Monitor. Retrieved from https://onlinestatusmonitor.com/.Google ScholarGoogle Scholar
  91. [91] Signal. 2022. Signal Homepage. Retrieved from https://signal.org.Google ScholarGoogle Scholar
  92. [92] Srivastava Mehul. 2019. WhatsApp Voice Calls Used to Inject Israeli Spyware on Phones. Retrieved from https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab.Google ScholarGoogle Scholar
  93. [93] Steube Jens and Gristina Gabriele. 2022. hashcat - World’s Fastest and Most Advanced Password Recovery Utility. Retrieved from https://hashcat.net/.Google ScholarGoogle Scholar
  94. [94] Telegram. 2020. Telegram FAQ: How Secure is Telegram? Retrieved from https://telegram.org/faq#q-how-secure-is-telegram.Google ScholarGoogle Scholar
  95. [95] Telegram. 2022. TDLib: importedContacts Class Reference. Retrieved from https://core.telegram.org/tdlib/docs/classtd_1_1td__api_1_1imported_contacts.html.Google ScholarGoogle Scholar
  96. [96] Telegram. 2022. Telegram Database Library. Retrieved from https://core.telegram.org/tdlib.Google ScholarGoogle Scholar
  97. [97] Slack Tom. 2019. Is WhatsApp in Breach of the GDPR? A Lawyer’s View. Retrieved from https://guild.co/blog/is-whatsapp-in-breach-of-the-gdpr-a-lawyers-view/.Google ScholarGoogle Scholar
  98. [98] Tu Huahong, Doupé Adam, Zhao Ziming, and Ahn Gail-Joon. 2019. Users really do answer telephone scams. In USENIX Security Symposium. USENIX Association, 13271340.Google ScholarGoogle Scholar
  99. [99] Turton William. 2016. Why You Should Stop Using Telegram Right Now. Retrieved from https://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415.Google ScholarGoogle Scholar
  100. [100] Vaas Lisa. 2019. Robocalls Now Flooding US Phones with 200m Calls per Day. Retrieved from https://nakedsecurity.sophos.com/2019/09/17/robocalls-now-flooding-us-phones-with-200m-calls-per-day/.Google ScholarGoogle Scholar
  101. [101] Hooff Jelle van den, Lazar David, Zaharia Matei, and Zeldovich Nickolai. 2015. Vuvuzela: Scalable private messaging resistant to traffic analysis. In Symposium on Operating Systems Principles (SOSP). ACM, 137152.Google ScholarGoogle Scholar
  102. [102] LLC WhatsApp. 2022. About Contact Upload. Retrieved from https://faq.whatsapp.com/general/contacts/about-contact-upload.Google ScholarGoogle Scholar
  103. [103] LLC WhatsApp. 2022. WhatsApp Legal Info. Retrieved from https://www.whatsapp.com/legal?eea=0#terms-of-service.Google ScholarGoogle Scholar
  104. [104] Wondracek Gilbert, Holz Thorsten, Kirda Engin, and Kruegel Christopher. 2010. A practical attack to de-anonymize social network users. In IEEE Symposium on Security and Privacy (S&P). IEEE, 223238.Google ScholarGoogle Scholar
  105. [105] WriteThat.Name. 2013. Your Address Book Automagically Updated. http://writethat.name/.Google ScholarGoogle Scholar
  106. [106] x0rz. 2018. A Look into Signal’s Encrypted Profiles. Retrieved from https://blog.0day.rocks/a-look-into-signals-encrypted-profiles-5491908186c1.Google ScholarGoogle Scholar
  107. [107] Xynou Maria and Filastò Arturo. 2021. How Countries Attempt to Block Signal Private Messenger App around the World. Retrieved from https://ooni.org/post/2021-how-signal-private-messenger-blocked-around-the-world/.Google ScholarGoogle Scholar
  108. [108] Yapparova Liliya and Kovalev Alexey. 2019. Comrade Major. Retrieved from https://meduza.io/en/feature/2019/08/11/comrade-major.Google ScholarGoogle Scholar
  109. [109] Ye Guixin, Tang Zhanyong, Fang Dingyi, Zhu Zhanxing, Feng Yansong, Xu Pengfei, Chen Xiaojiang, and Wang Zheng. 2018. Yet another text CAPTCHA solver: A generative adversarial network based approach. In ACM Conference on Computer and Communications Security (CCS). ACM, 332348.Google ScholarGoogle ScholarDigital LibraryDigital Library
  110. [110] Zweerink Maikel. 2015. WhatsApp Privacy is Broken! Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-options-are-illusions/.Google ScholarGoogle Scholar
  111. [111] Zweerink Maikel. 2015. WhatsApp Privacy Problem Explained in Detail. Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-problem-explained-in-detail/.Google ScholarGoogle Scholar
  112. [112] Zweerink Maikel. 2016. PoC WhatsSpy Public Support Ending Today. Retrieved from https://maikel.pro/blog/whatsspy-public-support-ending-today.Google ScholarGoogle Scholar

Index Terms

  1. Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 26, Issue 1
        February 2023
        342 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3561959
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 7 November 2022
        • Online AM: 30 June 2022
        • Accepted: 2 June 2022
        • Revised: 19 May 2022
        • Received: 15 July 2021
        Published in tops Volume 26, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)253
        • Downloads (Last 6 weeks)7

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!