WhatsApp, Signal and Telegram failed miserably banal security test

WhatsApp, Signal and Telegram have “leaked” their users’ telephone numbers (and, in the case of Telegram, even those who are not registered there) so that all the information can be extracted from their profiles. Cybercriminals will subsequently use it to create fake accounts for fraud purposes, but not only messengers, but even the users themselves will be responsible for this.

Insecure messengers

WhatsApp, Signal and Telegram messengers, known for their advanced security technology, have not provided an acceptable standard of protection for the personal information of their users. This was documented by researchers from the University of Würzburg who, together with colleagues from the Technical University of Darmstadt, checked facilities for access to private information.

In their study, the experiment’s authors indicated that all three messengers included in the top five most protected, according to the profile resource TechRadar and the antivirus solution developer Avg, reveal personal user data through contact search services through telephone numbers stored in the address book. This is due, according to the researchers, to the fact that, when launched first on a mobile device, all of these instant messengers request access to the gadget owner’s contacts for their correct service. Having obtained it, they will upload the list of contacts to the developer company’s servers at regular intervals in the future.

What data was publicly available

They used relatively few tools for parsing all three instant messengers, according to the study’s authors, but they gained access to large quantities of data even with their support. For example, they scanned 10 percent of the number of WhatsApp users in the United States and 100 percent of the number of users of Signal, which is considered to be Edward Snowden ‘s favorite messenger, in the course of their experiment using a communication search service. He reported in 2015 that he uses the app daily

The high popularity of communication services does not mean they are entirely stable.
Researchers have all the information that individuals share on their pages at their disposal. The pictures of the account, nicknames, status, the last date and time of the service connection, etc. were among them.

Data analysis permitted the collection of some user activity statistics. Most of them, for example, do not change their privacy settings, leaving them the same as they were when they registered with the messenger, and in most of these services, the simple settings do not have this privacy.

The researchers also discovered that about 50% of US WhatsApp users have a public photo of their account. In addition, 90 percent do not conceal the details they have posted in the section “About”.

Experts also noticed the fact that 40 percent of Signal users have completely open WhatsApp accounts, originally marketed as the safest messenger and targeted at those who are concerned about privacy.

On the other hand, Telegram was entirely different from its two rivals. Including those individuals who are not registered with this messenger, but are in the contact lists of users who have an account in it, researchers were able to use it to get the phone numbers.

Than it can threaten

Also taking into account the fact that there is no very sensitive information that can not be revealed to third parties in the user profiles of messengers (bank card numbers, passport details, etc.), cybercriminals can use the available information for their own purposes. Messengers do not have strict rules on registration that allow them to build several accounts with stolen information in them, such as for fraudulent activities. On social networks, this is always the case-a cybercriminal creates a replica of someone’s page and starts, for example, to ask for money from certain people who are on the friends list of the owner of a legitimate profile.

How to protect yourself from scanning

The study’s authors suggested that the type of data that hackers or attackers can collect regarding a single user of the service depends on the user. More specifically, they are based on the privacy settings he has selected.

Messengers themselves often have a certain effect on the distribution of personal information. So if WhatsApp and Telegram transmit the entire list of contacts to their servers, then instead Signal only sends short hashes of telephone numbers, making it difficult to find information. Nevertheless, a report by German specialists showed that telephone numbers can be deduced in milliseconds from hash values using special methods.

Messengers “hand over” their users

It is not possible to treat WhatsApp, Signal and Telegram as genuinely reliable communication methods. Each of them has bugs that make it easy for you to access such data that is not intended for prying eyes.

It became clear in June 2020 that some of the phone numbers associated with WhatsApp user accounts have been in the public domain for a long time and have also been used in Google search results.

In total, it was possible to find up to a number of about 300 thousand messenger users with the aid of Google, and this issue was also global.

But the others excelled in Signal. It turned out in October 2018 that when moving from Signal in the form of an extension for the Chrome browser to its desktop edition (Signal Desktop), the messenger places all the correspondence in unencrypted form on the user’s computer disk, along with all attachments. All these dialogs are then immediately re-imported by the program, but at a certain stage, anything that needs to be encrypted is plain text on the disk. This helps you, without the need, to copy any details from any correspondence.