All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.

Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
📡 @nogoolag 📡 @blackbox_archiv

Tracking the WhatsApp habits of 5000 random Smartphones

In the previous blog post, we have seen that this is quite simple to hack the WhatsApp online status of a contact. A simple Online or last seen yesterday at 19:00 insight can be reverse engineered to leak phone habits at a couple of seconds accuracy.

‼️ There is an even more silly thing not mentioned yet: You can track any mobile phone ! So let’s play and scale to track 5000 random numbers.

Like previously, I am sharing the source code as a PROOF OF CONCEPT. You can jump straight to the end if you are more curious about the results than by the technical stuff I’m about to resume. We are reusing the previous code with Node.js, Puppeteer & Grafana.

https://jorislacance.fr/blog/2021/04/16/whatsapp-tracking-2

💡 Hack the WhatsApp status to track contacts
https://jorislacance.fr/blog/2020/04/01/whatsapp-tracking

💡 How a WhatsApp status loophole is aiding cyberstalkers
https://t.me/BlackBox_Archiv/2018

💡 Sudden New Warning Will Surprise Millions Of WhatsApp Users
https://t.me/BlackBox_Archiv/1987

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042

#DeleteWhatsapp #user #tracking #whatsapp #thinkabout #change
📡 @nogoolag 📡 @blackbox_archiv

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042

Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).

Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.

💡Signal:

Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signal’s users, at least for profile pictures.

💡Telegram:

For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegram’s rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.

💡 Comparison WhatsApp | Signal | Telegram:

With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.

💡 Conclusion:

Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attacker’s perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
📡 @nogoolag 📡 @blackbox_archiv

Facebook wants to analyze encrypted WhatsApp messages "for ads"

TL;DR
Facebook has hired a team of researchers for the purpose of analyzing WhatsApp encryption.
The goal would be to have ways to data-mine WhatsApp messages without actually decrypting them.
One report alleges that Facebook is doing this for ad purposes.

https://www.androidauthority.com/whatsapp-encryption-ads-2728774/


#WhatsApp #Facebook #fb #encryption

#WhatsApp Ordered To Help U.S. Agents Spy On Chinese Phones — No Explanation Required

https://www.forbes.com/sites/thomasbrewster/2022/01/17/whatsapp-ordered-to-spy-on-chinese-phones-by-america-no-explanation-given/

The Lockdown Files: The Telegraph has obtained more than 100,000 #WhatsApp messages sent between Matt #Hancock and other #uk ministers and officials at the height of the Covid-19 pandemic.

•Care Home Deaths
•Lockdowns
•Testing
•Face Masks
•School Closures

https://www.telegraph.co.uk/news/lockdown-files/

@childcovidvaccineinjuriesuk

How do You Hack #Whatsapp Chats? - 7 #Vulnerabilities Explained

https://hackernoon.com/how-to-hack-whatsapp-chats-9f203tq0

#WhatsApp using #microphone on Google Pixel 7, Galaxy S23 even when not in use

https://insiderpaper.com/whatsapp-using-microphone-on-google-pixel-7-galaxy-s23-even-when-not-in-use/

Paragon Graphite is a Pegasus spyware clone used in the US –

The US government banned the use of NSO’s Pegasus spyware 18 months ago, but a new report today says that at least one government agency is using very similar malware from a rival company: Paragon Graphite.

According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite.

The #malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like #Signal or #WhatsApp, sometimes harvesting the data from cloud backups – much like Pegasus does.

#spyware #US #Clone #Pegasus #NSO #DEA #ParagonGraphite #Paragon

#WhatsApp is working on complying with new #EU regulations by developing support for chat interoperability, and it will be available in a future update of the app

The European Union has recently reached an agreement on a significant competition reform known as the Digital Markets Act (DMA), which will impose strict rules on large tech companies that will have to offer users the ability to communicate with each other using different apps. WhatsApp is one of the companies that will be required to comply with the new regulations outlined in the European Union’s Digital Markets Act. This is because WhatsApp is considered a gatekeeper service since it’s a large tech platform with a substantial user base and falls within the criteria set by the DMA. With the latest WhatsApp beta for Android 2.23.19.8 update, which is available on the Google Play Store, we discovered that WhatsApp is working on complying with the new regulations:

As you can see in this screenshot, WhatsApp is working on a new section dedicated to the new regulations. Since it is still in development, this section is still not ready, it appears empty and it’s not accessible to users, but its title confirms to us that they are now working on it. WhatsApp has a 6-month period to align the app with the new European regulations to provide its interoperability service in the European Union. At the moment, it remains unclear whether this feature will also eventually extend to countries beyond the European Union.

Interoperability will allow other people to contact users on WhatsApp even if they don’t have a WhatsApp account. For example, someone from the Signal app could send a message to a WhatsApp user, even without a WhatsApp account. While this broader network can definitely enhance communication with those people who use different messaging apps and assist those small apps in competing within the messaging app industry, we acknowledge that this approach may also raise important considerations about end-to-end encryption when receiving a message from users who don’t use WhatsApp. In this context, as this feature is still in its early stages of development, detailed technical information about this process on WhatsApp as a gatekeeper is currently very limited, but we can confirm that end-to-end encryption will have to be preserved in interoperable messaging systems. In addition, as mentioned in Article 7 of the regulations, it appears that users may have the option to opt out when it will be available in the future.

https://wabetainfo.com/whatsapp-beta-for-android-2-23-19-8-whats-new/

Quiet

Encrypted p2p team chat with no servers, just Tor.

https://tryquiet.org/index.html

https://github.com/TryQuiet/quiet

Currently in developpement stage so be cautious of your data

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In Quiet, all data syncs directly between a team's devices over Tor with no server required.

No email or phone number required, Unlike #Slack, #Discord, #WhatsApp, #Telegram, and #Signal, no email or phone number is required to create or join a #community.

End-to-end encryption, All data is #encrypted end-to-end between member devices, using Tor.

Channels, Organize chats in Slack-like channels, so conversations don't get messy.

Images, Send and receive images, with copy/paste, drag & drop, and image previews.

Files, Send and receive files of unlimited size!

Notifications, Invite links, Keyboard controls, Desktop apps

Android, Quiet works on Android, and F-Droid support is on the way.

#E2E #Chat #Quiet #Tor

Judge Orders NSO Group to Surrender Pegasus Source Code to Meta | BitDefender - March 2024

A US Judge ordered the infamous spyware developer and vendor NSO Group to turn over its source code to Meta as part of an almost four-year lawsuit.

Meta sued NSO in 2019 after the American company discovered that a zero-day WhatsApp vulnerability was used to deploy the spyware. According to a Guardian report, the NSO's spyware was allegedly used against 1,400 people in the course of just two weeks.

#Pegasus #NSO vs #Meta #WhatsApp #SourceCode

#WhatsApp, #Signal and #Telegram among apps cut from #iPhone app store to comply with censorship demand

#China ordered #Apple to remove some of the world’s most popular chat messaging apps from its app store in the country, the latest example of censorship demands on the iPhone seller in the company’s second-biggest market.

https://www.wsj.com/tech/apple-removes-whatsapp-threads-from-china-app-store-on-government-orders-a0c02100

Engineers warned #Meta that nations can monitor chats; staff fear usrael is using this trick to pick assassination targets in Gaza.

https://archive.ph/o1ld8

#fb #Facebook #WhatsApp #why

🔴 Using #WhatsApp helps the israeli army pick targets in Gaza

In April 2024, +972 Magazine journalist Yuval Abraham revealed the existence of Lavender ⁠AI: a system that automatically picks bombing targets. Lavender collects information on most of the 2.3 million residents of Gaza through a system of mass surveillance, then assesses the likelihood that each particular person is active in Hamas or PIJ, giving almost every single person in Gaza a rating from 1 to 100.

The article said that the current commander of Unit 8200 wrote in a guide book for Lavender ⁠AI that the features being used to select targets include “being in a WhatsApp group with a known militant, changing cell phone every few months, and changing addresses frequently.”

“The sources told +972 and Local Call that, during the first weeks of the war, the army almost completely relied on Lavender.” Israel has deployed additional automated systems, e.g., ‘Where's ⁠Daddy’ signals when a target has entered his family home.

Last week, The Intercept wrote that many WhatsApp employees fear that Israel has been using a vulnerability based on traffic analysis. According to their assessment: “[Deep Packet] Inspection and analysis of network traffic is completely invisible to us, yet it reveals the connections between our users: who is in a group together, who is messaging who, and (hardest to hide) who is calling who”... [A typical threat is due to peer-to-peer calls between users, which can be disabled on Telegram since many years ago but on WhatsApp only since Nov ⁠8, 2023 ⁠!]

And worse ⬇

#Venezuela government mafia spokesperson #Maduro deletes #WhatsApp on live TV, keeps all the other Facebook and Gapps spyware. Minions clap

#idiocracy

WhatsApp - a tool for israel to track Palestinians?

Ismail Haniyeh's son: My father used WhatsApp a lot, we even had a family group, so tracking him down was not difficult.

israel reportedly installed a malware on Haniyeh phone by WhatsApp before his assassination.

Article:

Hamas leader Ismail Haniyeh was killed after israeli terrorists installed spyware on his cell phone through a WhatsApp message to track his whereabouts that was used to launch a missile strike, Lebanese journalist Elia Manier has claimed.

Numerous reports have repeatedly suggested that the use of WhatsApp messenger to detect Palestinians has been a common practice for the israeli terrorists.

▪️The Palestinian digital rights group Sada Social earlier demanded a probe into the Israel Occupation Forces' (IOF) alleged use of #WhatsApp user data to target Hamas “suspects” in the Gaza Strip with the help of the Israeli AI-aided system, #Lavender. Both Meta (the owners of the popular messaging service) and the #IOF deny the allegations.