The privacy risk that comes with syncing contacts to messenger apps

Syncing your phone's contacts to WhatsApp or Telegam can make it easier to find friends when you get started, but security experts say this comes with a significant risk. — Christin Klose/dpa

When getting started on a new messenger app, most of us will just download, upload our contacts and start chatting. This is a mistake, say researchers, who have found that this function can be exploited by attackers to access personal information from you and contacts.

Users of messaging apps unfortunately need to get into the habit of being sceptical of the default privacy settings, especially when syncing contacts to a new chat app.

That's because hackers are able to abuse that handy function that lets you sync and upload contacts from your smartphone to the messaging app, according to a study carried out by the University of Wuerzburg and the Technical University of Darmstadt.

The study showed that hackers can collect sensitive data on a large scale and without any significant restrictions from the messaging apps Signal and WhatsApp, which access the mobile phone's contacts, regularly uploading them to the service provider's servers for synchronisation. This works by requesting masses of random phone numbers from the messengers to find contacts (known as crawling).

The information that can be disclosed when contacts are being synced or collected through crawling attacks depends on the messenger and the privacy settings you choose. The personal data and metadata that could be accessed in the research included profile pictures, user names, statuses and the amount of time you spend online.

Before publication, the researchers communicated the results of the study to the messaging services. WhatsApp said it then improved security measures to help detect future large-scale attacks. And Signal has reduced the number of possible queries, making crawling more difficult.

For the study, 10% of all mobile phone numbers in the United States were queried for WhatsApp and 100% for Signal. The analysed data also revealed some interesting statistics about user behaviour: around 50% of all WhatsApp users in the United States have a public profile picture, while 90% have a public About Me text.

And 40% of all users registered with Signal also use WhatsApp – although the researchers assumed that more Signal users would be more concerned about their privacy. After all, unlike WhatsApp, Signal does not analyse or evaluate users' metadata.

If the data obtained via crawling is pursued by attackers over a longer period of time, they can create precise models of users' behaviour, the researchers warn. And if this data was compared with data from social networks and other public sources, detailed profiles could be created and used, for example, for scams.

In an investigation of the programming interface (API) of the Telegram messaging app, the researchers also found that the contact identification service also reveals sensitive information about people with a telephone number but who are not registered with Telegram.

The contact comparison between the smartphone address book and messengers' servers is routinely criticised by security researchers and data protection experts. However, the messaging services fear they will lose users without this feature, which adds convenience. It would be safer and less objectionable in terms of data privacy, but also more tedious and annoying if each contact had to be added individually. – dpa

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 18
Cxense type: free
User access status: 3

Did you find this article insightful?


88% readers found this article insightful

Next In Tech News

China tops world in AI patent filings, surpassing the US for the first time
SAIC Motor, an early adopter of the smart car, sets up US$1bil fund to invest in Internet-linked vehicles with Alibaba
Greece puts faith in online schooling
PDRM: Fake Bank Negara apps and websites cost victims RM5.2mil in losses
Amazon unions from Brazil to Germany plan Black Friday protests
Black Friday offers beacon of hope to struggling US stores
Man Utd working with cyber agency after ‘disruptive’ attack
Dating apps see matches bloom in India
US teens develop sanitising drone to help clean school during pandemic
UK to launch new watchdog next year to police tech giants

Stories You'll Enjoy