WhatsApp, Signal and Telegram “leaked” the phone numbers of their users (and in the case of Telegram, even those who are not registered in it), which allows you to pull all the information from their profiles. It can subsequently be used by cybercriminals to create fake accounts for the purpose of fraud, but not only messengers, but also the users themselves will be to blame.
Messengers WhatsApp, Signal and Telegram, known for their modern security technologies, did not provide an adequate level of protection for their users’ personal information. This was reported by researchers from the University of Würzburg, who tested the services for access to private information together with colleagues from the Darmstadt Technical University (both universities are located in Germany).
In their report, the authors of the experiment indicated that all three messengers included, according to the profile resource TechRadar and the developer of antivirus solutions Avg , in the top five most protected, disclose personal data of users through contact search services by phone numbers stored in the address book. This is due, according to the researchers, to the fact that any of these instant messengers, when first launched on a mobile device, requests access to the contacts of the gadget owner for their correct operation. Having received it, in the future, at a certain frequency, they upload the list of contacts to the servers of the developer company.
What data was publicly available
According to the authors of the study, they used very few resources for parsing all three instant messengers, but even with their help they gained access to significant amounts of data. For example, in their experiment, using a contact search service, they scanned 10% of the numbers of WhatsApp users in the United States and at the same time 100% of the numbers of users of Signal, which is known to be Edward Snowden’s favorite messenger . In 2015, he stated that he uses the app on a daily basis (obviously to contact journalists).
Researchers have at their disposal all the data that people post on their profiles. Among them were photos of the account, nicknames, statuses, the last date and time of connection to the service, etc.
The analysis of the data made it possible to compile some statistics on user behavior. For example, most of them do not change the privacy settings, leaving them the same as they were when registering in the messenger, and the basic settings in most of these services do not provide this very privacy.
The researchers also found that about 50% of WhatsApp users in the US have a public photo of their account. Moreover, 90% do not hide the information they have posted in the “About” section.
Experts also noted the fact that 40% of Signal users, originally positioned as the safest messenger and aimed at those who are concerned about privacy, have fully open WhatsApp profiles.
Telegram, on the other hand, was completely different from its two competitors. Researchers were able to use it to get the phone numbers of even those people who are not registered in this messenger, but are in the contact lists of users who have an account in it.
Than it can threaten
Even taking into account the fact that there is no really important information in the user profiles of messengers that cannot be disclosed to third parties (bank card numbers, passport data, etc.), the available information can be used by cybercriminals for their own purposes. There are no strict registration rules in messengers, which allows them to create many accounts with stolen information, for example, for fraudulent activities. This is often the case on social networks – a cybercriminal creates a clone of someone’s page and begins, for example, to beg for money from those people who are on the friends list of the owner of a genuine profile.
How to protect yourself from scanning
The authors of the study stated that the type of information that hackers or attackers can obtain about a particular user of the service depends on the user. More precisely, they depend on the privacy settings he has chosen.
Also, messengers themselves have a certain impact on the dissemination of personal data. So, if WhatsApp and Telegram transmit the entire list of contacts to their servers, then Signal sends instead only short hashes of phone numbers, which makes it difficult to find information. Nevertheless, a study by German specialists showed that it is possible to deduce phone numbers from hash values using special tools in milliseconds.
Messengers “hand over” their users
WhatsApp, Signal and Telegram cannot be considered truly reliable communication tools. Each of them has vulnerabilities that allow you to easily get to certain information that is not intended for prying eyes.
For example, in August 2020, the discovery of an elementary way to intercept other people’s messages on Telegram using the Favorites contact.
In June 2020, it became known that some phone numbers associated with user profiles in WhatsApp had been in the public domain for a long time and even got into Google search results. In total, with the help of Google, it was possible to find up to the number of about 300 thousand users of the messenger, and this problem was also global.
But Signal stood out the most. In October 2018, it turned out that when switching from Signal in the form of an extension for the Chrome browser to its desktop version (Signal Desktop), the messenger puts on the user’s device disk all the correspondence in unencrypted form, together with all attachments. The application then automatically re-imports all these dialogs, however, at a certain period, everything that needs to be encrypted is on disk in plaintext. This allows you to copy any information from any correspondence without the need to decrypt it.