Mobile Contact Discovery: The zero-day attack vector that affects WhatsApp, Telegram and Signal

From the advent of instant messaging apps, a few taps are enough on the screen of our phones to get in touch with family, friends and acquaintances. While they have facilitated many things these platforms have their own security issues, although potential attack vectors are not always in sight, as mentioned by network penetration testing experts.

One of the most popular attack vectors for researchers recently is Mobile Contact Discovery (MCD), the messaging app feature that allows you to find other users a list of contacts without needing more information in addition to their phone number.

The most popular messaging apps, including WhatsApp, feature MCD, constantly accessing users’ contact list to find other users registered on the same platform. On the other hand, services with a greater focus on privacy, such as Signal, depend on a brief hashing of the user’s phone number, although network penetration testing experts point out that this is not a much more secure method than other services. 

The most recent research on this feature, conducted by the University of Würzburg, shows that MCD services can pose a serious security threat to users of messaging apps.


The main risk in implementing MCD is the potential leak of a user’s contacts due to security incidents; as such an incident would present the ideal opportunity for threat actors to deploy phishing attacks or identity fraud for all kinds of malicious purposes. Another risk comes from the actions of governments around the world, which could begin to put pressure on messaging platforms to deliver information from a user under investigation or suspected of a crime.


Metadata is also not safe from the activity of malicious hackers, the worst thing is that millions of users are not even consenting to the existence of these particles of information; Profile picture, statuses, last connection and username are some of the data that can be very useful to criminals, even if they don’t seem like important information.

It is incredibly easy for a malicious user to collect metadata from messaging apps to find a person’s social media profiles, which can be useful for profiling users for criminal purposes.

Another risk that users might be exposed to is enumeration attacks, impossible to prevent on these platforms given the limited requirements to register for these services.


La imagen tiene un atributo ALT vacío; su nombre de archivo es messagingapps.jpg

Network penetration testing experts analyzed these messaging apps by discovering that in all three cases it is completely possible to carry out attacks such as those described in previous paragraphs at an unusual scale. Another interesting finding has to do with user practices, who rarely change the default privacy settings in the service of their choice, exposing themselves to much greater security risks than those related only to the use of MCD.

Finally, hash-based contact discovery protocols (such as the one used in Signal) can be easily breached by comparing three methods for hashing phone numbers, becoming a very unsafe mechanism.

This research has shown that it is possible to compromise the security of billions of users who rely on these platforms to manage their day-to-day communications; the researchers’ findings were shared with WhatsApp, Signal and Telegram in order for companies to find the mechanisms needed to implement improvements in MCD usage.

In addition to analyzing security risks in MCD, researchers propose some measures to mitigate the risks involved in this practice, with a focus on using highly secure encryption protocols that can prevent any information leakage.

Using encryption protocols for the intersection of private sets is probably the most prominent approach to improving security in future MCD deployment. These protocols would allow users and providers to find contacts without exposing unavailable information outside of the simple phone number, although their actual effectiveness remains to be seen.