London:When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device.
- For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery.
- The study from the Technical University of Darmstadt and the University of Würzburg in Germany shows that currently deployed contact discovery services severely threaten the privacy of billions of users.
- Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal and Telegram.
- The results of the experiments demonstrate that malicious users or hackers can collect sensitive data on a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.
- For the study, the researchers queried 10 per cent of all US mobile phone numbers for WhatsApp and 100 per cent for Signal.
- Thereby, they were able to gather personal (meta) data commonly stored in the messengers' user profiles, including profile pictures, nicknames, status texts and the "last online" time.
- The analyzed data also reveals interesting statistics about user behaviour. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.
The researchers found that about 50 per cent of WhatsApp users in the US has a public profile picture and 90 per cent a public "About" text.
Interestingly, 40 per cent of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp.