From the advent of instant messaging apps, a few taps are enough on the screen of our phones to get in touch with family, friends and acquaintances. While they have facilitated many things these platforms have their own security issues, although potential attack vectors are not always in sight, as mentioned by network penetration testing experts.
One of the most popular attack vectors for researchers recently is Mobile Contact Discovery (MCD), the messaging app feature that allows you to find other users a list of contacts without needing more information in addition to their phone number.
The most popular messaging apps, including WhatsApp, feature MCD, constantly accessing users’ contact list to find other users registered on the same platform. On the other hand, services with a greater focus on privacy, such as Signal, depend on a brief hashing of the user’s phone number, although network penetration testing experts point out that this is not a much more secure method than other services.
The most recent research on this feature, conducted by the University of Würzburg, shows that MCD services can pose a serious security threat to users of messaging apps.
DATA LEAKING
The main risk in implementing MCD is the potential leak of a user’s contacts due to security incidents; as such an incident would present the ideal opportunity for threat actors to deploy phishing attacks or identity fraud for all kinds of malicious purposes. Another risk comes from the actions of governments around the world, which could begin to put pressure on messaging platforms to deliver information from a user under investigation or suspected of a crime.
FINDING A USER THROUGH METADATA
Metadata is also not safe from the activity of malicious hackers, the worst thing is that millions of users are not even consenting to the existence of these particles of information; Profile picture, statuses, last connection and username are some of the data that can be very useful to criminals, even if they don’t seem like important information.
It is incredibly easy for a malicious user to collect metadata from messaging apps to find a person’s social media profiles, which can be useful for profiling users for criminal purposes.
Another risk that users might be exposed to is enumeration attacks, impossible to prevent on these platforms given the limited requirements to register for these services.
CASE STUDIES: WHATSAPP, TELEGRAM AND SIGNAL
Network penetration testing experts analyzed these messaging apps by discovering that in all three cases it is completely possible to carry out attacks such as those described in previous paragraphs at an unusual scale. Another interesting finding has to do with user practices, who rarely change the default privacy settings in the service of their choice, exposing themselves to much greater security risks than those related only to the use of MCD.
Finally, hash-based contact discovery protocols (such as the one used in Signal) can be easily breached by comparing three methods for hashing phone numbers, becoming a very unsafe mechanism.
This research has shown that it is possible to compromise the security of billions of users who rely on these platforms to manage their day-to-day communications; the researchers’ findings were shared with WhatsApp, Signal and Telegram in order for companies to find the mechanisms needed to implement improvements in MCD usage.
In addition to analyzing security risks in MCD, researchers propose some measures to mitigate the risks involved in this practice, with a focus on using highly secure encryption protocols that can prevent any information leakage.
Using encryption protocols for the intersection of private sets is probably the most prominent approach to improving security in future MCD deployment. These protocols would allow users and providers to find contacts without exposing unavailable information outside of the simple phone number, although their actual effectiveness remains to be seen.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
