Abstract
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations.
Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram, we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings.
Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR,” we can iterate through the entire worldwide mobile phone number space in < 150 s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest.
Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.
- [1] . 2013. Hushed - Private Phone Numbers, Talk and Text. Retrieved from https://hushed.com/.Google Scholar
- [2] . 2014. Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA). Retrieved from https://parryaftab.blogspot.com/2014/03/what-does-whatsapp-collect-that.html.Google Scholar
- [3] . 2022. Four attacks and a proof for Telegram. In IEEE Symposium on Security and Privacy (S&P). IEEE.Google Scholar
- [4] . 2013. WhatsBox - GDPR Compliant WhatsApp. Retrieved from https://www.backes-srt.com/en/solutions-2/whatsbox/.Google Scholar
- [5] . 2010. Abusing social networks for automated user profiling. In Recent Advances in Intrusion Detection (RAID). Springer, 422–441.Google Scholar
- [6] . 2009. All your contacts are belong to us: Automated identity theft attacks on social networks. In International Conference on World Wide Web (WWW). ACM, 551–560.Google Scholar
Digital Library
- [7] . 2016. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 292–302.Google Scholar
- [8] . 2012. Cryptohaze. Retrieved from http://www.cryptohaze.com.Google Scholar
- [9] . 2014. Privacy implications of presence sharing in mobile messaging applications. In International Conference on Mobile and Ubiquitous Multimedia. ACM, 20–29.Google Scholar
Digital Library
- [10] . 2018. Foreshadow: Extracting the keys to the Intel SGX Kingdom with transient out-of-order execution. In USENIX Security Symposium. USENIX Association, 991–1008.Google Scholar
- [11] . 2021. Hackers Scraped Data from 500 Million LinkedIn Users. Retrieved from https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4.Google Scholar
- [12] . 2021. Scraped Personal Data of 1.3 Million Clubhouse Users Has Reportedly Leaked Online. Retrieved from https://www.businessinsider.com/clubhouse-data-leak-1-million-users-2021-4.Google Scholar
- [13] . 2018. Labeled PSI from fully homomorphic encryption with malicious security. In ACM Conference on Computer and Communications Security (CCS). ACM, 1223–1237.Google Scholar
Digital Library
- [14] . 2017. Fast private set intersection from homomorphic encryption. In ACM Conference on Computer and Communications Security (CCS). ACM, 1243–1255.Google Scholar
Digital Library
- [15] . 2013. Bind your phone number with caution: Automated user profiling through address book matching on smartphone. In ACM ASIA Conference on Computer and Communications Security (ASIACCS). ACM, 335–340.Google Scholar
Digital Library
- [16] . 2015. LMDB Website. Retrieved from http://www.lmdb.tech/doc/.Google Scholar
- [17] . 2013. What’s up with WhatsApp? Comparing mobile instant messaging behaviors with traditional SMS. In Human-Computer Interaction with Mobile Devices and Services (MobileHCI). ACM, 352–361.Google Scholar
- [18] . 2019. Hong Kong Protesters Warn of Telegram Feature that Can Disclose Their Identities. Retrieved from https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/.Google Scholar
- [19] . 2021. The Facts on News Reports about Facebook Data. Retrieved from https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/.Google Scholar
- [20] . 2019. Most Popular Global Mobile Messenger Apps. Retrieved from https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps.Google Scholar
- [21] . 2019. Most Popular Mobile Messaging Apps in the United States as of June 2019. Retrieved from https://www.statista.com/statistics/350461/mobile-messenger-app-usage-usa/.Google Scholar
- [22] . 2019. Number of WhatsApp Users in the United States from 2019 to 2023. Retrieved from https://www.statista.com/statistics/558290/number-of-whatsapp-users-usa/.Google Scholar
- [23] . 1979. Ubiquitous B-tree. Comput. Surv. 11, 2 (
June 1979), 121–137.Google ScholarDigital Library
- [24] 2022. Confide Privacy Policy. Retrieved from https://getconfide.com/privacy.Google Scholar
- [25] . 2021. Labeled PSI from homomorphic encryption with reduced computation and communication. In ACM Conference on Computer and Communications Security (CCS). ACM, 1135–1150.Google Scholar
Digital Library
- [26] . 2018. WhatsApp Hits 1.5 Billion Monthly Users. $19B? Not So Bad. Retrieved from https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-monthly-users-19b-not-so-bad/.Google Scholar
- [27] . 2017. Building a Database of WhatsApp Users Can Be Pretty Easy. Retrieved from https://www.vice.com/en/article/wnw4vw/building-a-database-of-whatsapp-users-can-be-pretty-easy.Google Scholar
- [28] . 2018. The pitfalls of hashing for privacy. IEEE Commun. Surv. Tutor. 20, 1 (2018), 551–565.Google Scholar
Cross Ref
- [29] . 2019. New EU Data Law Forces Firms to Ban WhatsApp, Snapchat from Phones. Retrieved from https://www.dw.com/en/new-eu-data-law-forces-firms-to-ban-whatsapp-snapchat-from-phones/a-44076861.Google Scholar
- [30] . 2019. New WhatsApp Threat Confirmed: Android and iOS Users at Risk from Malicious Video Files. Retrieved from https://www.forbes.com/sites/zakdoffman/2019/11/16/new-whatsapp-threat-confirmed-android-and-ios-users-at-risk-from-malicious-video-files/.Google Scholar
- [31] . 2021. Apple’s iMessage Safety Update Is a Major Change for iPhone Privacy. Retrieved from https://www.forbes.com/sites/zakdoffman/2021/11/13/apples-billion-iphone-users-shock-imessage-update-after-security-warnings/.Google Scholar
- [32] . 2016. Moving without Changing Your Cellphone Number: A Predicament for Pollsters. Retrieved from https://www.pewresearch.org/methods/2016/08/01/moving-without-changing-your-cellphone-number-a-predicament-for-pollsters/.Google Scholar
- [33] . 2020. 400 Million Users, 20,000 Stickers, Quizzes 2.0 and 400K EUR for Creators of Educational Tests. Retrieved from https://telegram.org/blog/400-million.Google Scholar
- [34] . 2018. WhatsApp Scraping. Retrieved from https://github.com/JMGama/WhatsApp-Scraping.Google Scholar
- [35] 2020. Two Billion Users — Connecting the World Privately. Retrieved from https://about.fb.com/news/2020/02/two-billion-users/.Google Scholar
- [36] . 2010. Google’s Common Java, C++ and JavaScript Library for Parsing, Formatting, and Validating International Phone Numbers. Retrieved from https://github.com/google/libphonenumber.Google Scholar
- [37] . 2022. I’m Getting a Contacts Error - Contacts Help. Retrieved from https://support.google.com/contacts/answer/148779.Google Scholar
- [38] . 2016. Emerging threats abusing phone numbers exploiting cross-platform features. In International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 1339–1341.Google Scholar
Cross Ref
- [39] . 2016. Exploiting phone numbers and cross-application features in targeted mobile attacks. In Workshop on Security and Privacy in Smartphones and Mobile Devices ([email protected]). ACM, 73–82.Google Scholar
- [40] . 2021. All the numbers are US: Large-scale abuse of contact discovery in mobile messengers. In Network & Distributed System Security Symposium (NDSS). Internet Society.Google Scholar
- [41] . 2017. Password-hashing status. Cryptography 1, 2 (2017), 10.Google Scholar
Cross Ref
- [42] . 2021. AirCollect: Efficiently recovering hashed phone numbers leaked via Apple AirDrop. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec). ACM, 371–373. Retrieved from https://ia.cr/2021/893.Google Scholar
Digital Library
- [43] . 2021. PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop. In USENIX Security Symposium. USENIX Association, 3577–3594. Retrieved from https://ia.cr/2021/481.Google Scholar
- [44] . 1980. A cryptanalytic time-memory trade-off. Trans. Inf. Theor. 26, 4 (1980), 401–406.Google Scholar
Digital Library
- [45] . 2021. 533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online. Retrieved from https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.Google Scholar
- [46] . 2019. Characterizing pixel tracking through the lens of disposable email services. In IEEE Symposium on Security and Privacy (S&P). IEEE, 365–379.Google Scholar
- [47] . 2015. Interface to WhatsApp Messenger—Fed up with the F**king Legal Threats. Retrieved from https://github.com/venomous0x/WhatsAPI.Google Scholar
- [48] . 2017. RainbowCrack-NG: Free and Open-Source Software to Generate and Use Rainbow Tables. Retrieved from https://github.com/inAudible-NG/RainbowCrack-NG.Google Scholar
- [49] . 2022. National Numbering Plans. Retrieved from https://www.itu.int/oth/T0202.aspx?parent=T0202.Google Scholar
- [50] . 2019. Mobile private contact discovery at scale. In USENIX Security Symposium. USENIX Association, 1447–1464. Retrieved from https://ia.cr/2019/517.Google Scholar
- [51] . 2021. Yes, You Are Getting Lots of Robocalls Again. Retrieved from https://edition.cnn.com/2021/03/04/tech/robocalls-pre-pandemic-levels/index.html.Google Scholar
- [52] . 2014. I’ve got your number: - harvesting users’ personal data via contacts sync for the KakaoTalk messenger. In Workshop on Information Security Applications (WISA). Springer, 55–67.Google Scholar
- [53] . 2015. Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk. Comput. Secur. 52 (2015), 267–275.Google Scholar
Digital Library
- [54] . 2017. Hello, Facebook! Here is the stalkers’ paradise!: Design and analysis of enumeration attack using phone numbers on Facebook. In Information Security Practice and Experience. Springer, 663–677.Google Scholar
- [55] . 2017. Private set intersection for unequal set sizes with mobile applications. Proc. Priv. Enhanc. Technol. 2017, 4 (2017), 177–197.Google Scholar
Cross Ref
- [56] . 2017. Collecting Huge Amounts of Data with WhatsApp. Retrieved from https://www.lorankloeze.nl/2017/05/07/collecting-huge-amounts-of-data-with-whatsapp/.Google Scholar
- [57] . 2016. Efficient batched oblivious PRF with applications to private set intersection. In ACM Conference on Computer and Communications Security (CCS). ACM, 818–829.Google Scholar
Digital Library
- [58] . 2011. Telephone sampling: Frames and selection techniques. In International Encyclopedia of Statistical Science. Springer, 1585–1586.Google Scholar
Cross Ref
- [59] . 2017. Encrypted Profiles for Signal Now in Public Beta. Retrieved from https://signal.org/blog/signal-profiles-beta/.Google Scholar
- [60] . 2018. Technology Preview: Sealed Sender for Signal. Retrieved from https://signal.org/blog/sealed-sender/.Google Scholar
- [61] . 2019. Signal-Server. Retrieved from https://github.com/signalapp/Signal-Server.Google Scholar
- [62] . 2019. Technology Preview for Secure Value Recovery. Retrieved from https://signal.org/blog/secure-value-recovery/.Google Scholar
- [63] . 2014. The Difficulty of Private Contact Discovery. Retrieved from https://signal.org/blog/contact-discovery/.Google Scholar
- [64] . 2017. Technology Preview: Private Contact Discovery for Signal. Retrieved from https://signal.org/blog/private-contact-discovery.Google Scholar
- [65] . 2018. Hashing of personally identifiable information is not sufficient. In Sicherheit. Gesellschaft für Informatik e.V., 55–68.Google Scholar
- [66] . 2020. Introducing Signal PINs. Retrieved from https://signal.org/blog/signal-pins/.Google Scholar
- [67] . 2010. Flask. Retrieved from https://palletsprojects.com/p/flask.Google Scholar
- [68] . 2010. Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In USENIX Security Symposium. USENIX Association, 435–462. Retrieved from http://www.usenix.org/events/sec10/tech/full_papers/Motoyama.pdf.Google Scholar
- [69] . 2014. What’s new with WhatsApp & Co.? Revisiting the security of smartphone messaging applications. In Information Integration and Web-based Applications & Services. ACM, 142–151.Google Scholar
- [70] . 2003. Making a faster cryptanalytic time-memory trade-off. In CRYPTO. Springer, 617–630.Google Scholar
- [71] . 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.Google Scholar
- [72] . 2022. The OpenMP API Specification for Parallel Programming. Retrieved from https://www.openmp.org.Google Scholar
- [73] . 2022. OpenSSL: Cryptography and SSL/TLS Toolkit. Retrieved from https://www.openssl.org.Google Scholar
- [74] . 2022. John the Ripper Password Cracker. Retrieved from https://www.openwall.com/john/.Google Scholar
- [75] . 2019. SpOT-light: Lightweight private set intersection from sparse OT extension. In Advances in Cryptology – CRYPTO 2019. Springer, 401–431.Google Scholar
Digital Library
- [76] . 2015. Phasing: Private set intersection using permutation-based hashing. In USENIX Security Symposium. USENIX Association, 515–530.Google Scholar
- [77] . 2018. Efficient circuit-based PSI via Cuckoo hashing. In EUROCRYPT. Springer, 125–157. Retrieved from https://ia.cr/2018/120.Google Scholar
- [78] . 2014. Faster private set intersection based on OT extension. In USENIX Security Symposium. USENIX Association, 797–812.Google Scholar
- [79] . 2018. Scalable private set intersection based on OT extension. Trans. Priv. Secur. 21, 2 (2018), 7:1–7:35.Google Scholar
- [80] . 2017. WhatsApp Crawler. Retrieved from https://gitlab.com/jishnutp/whatsapp-crawler.Google Scholar
- [81] . 2020. Signal Becomes European Commission’s Messaging App of Choice in Security Clampdown. Retrieved from https://www.theverge.com/2020/2/24/21150918/european-commission-signal-encrypted-messaging.Google Scholar
- [82] . 1999. A future-adaptable password scheme. In USENIX Annual Technical Conference (ATC). USENIX Association, 81–91.Google Scholar
- [83] . 2022. List of Rainbow Tables. Retrieved from http://project-rainbowcrack.com/table.htm.Google Scholar
- [84] . 2022. RainbowCrack. Retrieved from http://project-rainbowcrack.com/.Google Scholar
- [85] . 2016. Understanding saudis’ privacy concerns when using WhatsApp. In Workshop on Usable Security (USEC). Internet Society.Google Scholar
- [86] . 2022. Redis Commands - GET. Retrieved from https://redis.io/commands/get.Google Scholar
- [87] . 2022. Redis Website. Retrieved from https://redis.io/.Google Scholar
- [88] . 2012. Guess who’s texting you? Evaluating the security of smartphone messaging applications. In Network & Distributed System Security Symposium (NDSS). Internet Society.Google Scholar
- [89] . 2020. Bcrypt Password Cracking Extremely Slow? Not If You Are Using Hundreds of FPGAs! Retrieved from https://scatteredsecrets.medium.com/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6.Google Scholar
- [90] . 2014. Online Status Monitor. Retrieved from https://onlinestatusmonitor.com/.Google Scholar
- [91] . 2022. Signal Homepage. Retrieved from https://signal.org.Google Scholar
- [92] . 2019. WhatsApp Voice Calls Used to Inject Israeli Spyware on Phones. Retrieved from https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab.Google Scholar
- [93] . 2022. hashcat - World’s Fastest and Most Advanced Password Recovery Utility. Retrieved from https://hashcat.net/.Google Scholar
- [94] . 2020. Telegram FAQ: How Secure is Telegram? Retrieved from https://telegram.org/faq#q-how-secure-is-telegram.Google Scholar
- [95] . 2022. TDLib: importedContacts Class Reference. Retrieved from https://core.telegram.org/tdlib/docs/classtd_1_1td__api_1_1imported_contacts.html.Google Scholar
- [96] . 2022. Telegram Database Library. Retrieved from https://core.telegram.org/tdlib.Google Scholar
- [97] . 2019. Is WhatsApp in Breach of the GDPR? A Lawyer’s View. Retrieved from https://guild.co/blog/is-whatsapp-in-breach-of-the-gdpr-a-lawyers-view/.Google Scholar
- [98] . 2019. Users really do answer telephone scams. In USENIX Security Symposium. USENIX Association, 1327–1340.Google Scholar
- [99] . 2016. Why You Should Stop Using Telegram Right Now. Retrieved from https://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415.Google Scholar
- [100] . 2019. Robocalls Now Flooding US Phones with 200m Calls per Day. Retrieved from https://nakedsecurity.sophos.com/2019/09/17/robocalls-now-flooding-us-phones-with-200m-calls-per-day/.Google Scholar
- [101] . 2015. Vuvuzela: Scalable private messaging resistant to traffic analysis. In Symposium on Operating Systems Principles (SOSP). ACM, 137–152.Google Scholar
- [102] . 2022. About Contact Upload. Retrieved from https://faq.whatsapp.com/general/contacts/about-contact-upload.Google Scholar
- [103] . 2022. WhatsApp Legal Info. Retrieved from https://www.whatsapp.com/legal?eea=0#terms-of-service.Google Scholar
- [104] . 2010. A practical attack to de-anonymize social network users. In IEEE Symposium on Security and Privacy (S&P). IEEE, 223–238.Google Scholar
- [105] . 2013. Your Address Book Automagically Updated. http://writethat.name/.Google Scholar
- [106] . 2018. A Look into Signal’s Encrypted Profiles. Retrieved from https://blog.0day.rocks/a-look-into-signals-encrypted-profiles-5491908186c1.Google Scholar
- [107] . 2021. How Countries Attempt to Block Signal Private Messenger App around the World. Retrieved from https://ooni.org/post/2021-how-signal-private-messenger-blocked-around-the-world/.Google Scholar
- [108] . 2019. Comrade Major. Retrieved from https://meduza.io/en/feature/2019/08/11/comrade-major.Google Scholar
- [109] . 2018. Yet another text CAPTCHA solver: A generative adversarial network based approach. In ACM Conference on Computer and Communications Security (CCS). ACM, 332–348.Google Scholar
Digital Library
- [110] . 2015. WhatsApp Privacy is Broken! Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-options-are-illusions/.Google Scholar
- [111] . 2015. WhatsApp Privacy Problem Explained in Detail. Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-problem-explained-in-detail/.Google Scholar
- [112] . 2016. PoC WhatsSpy Public Support Ending Today. Retrieved from https://maikel.pro/blog/whatsspy-public-support-ending-today.Google Scholar
Index Terms
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations
Recommendations
A framework to mitigate ARP sniffing attacks by cache poisoning
Today in the digital era of computing, most of the network attacks are caused by sniffing the sensitive data over the network. Among various types of sniffing attacks, ARP sniffing causes most of the LAN attacks wired and wireless LAN coexist. ARP ...
IDS Using Mitigation Rules Approach to Mitigate ICMP Attacks
ACSAT '13: Proceedings of the 2013 International Conference on Advanced Computer Science Applications and TechnologiesThe Internet Control Message Protocol (ICMP) attack is an example of a DDoS attack and regarded as an Internet menace that aims to deny service to legitimate users by violating the availability of resource in a system. A number of researches have been ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive StrategiesNow a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...






Comments