WhatsApp, Signal and Telegram failed the most banal safety test with a crackle

WhatsApp, Signal and Telegram failed the most banal safety test with a crackle

WhatsApp, Signal and Telegram “leak” the phone numbers of their users (and in the case of Telegram even those who are not registered in it), which allows you to pull all the information from their profiles. It can then be used by attackers to create fake accounts for fraudulent purposes, but it will be the fault of not only messengers, but also the users themselves.

Unsafe messengers

WhatsApp, Signal and Telegram messengers, known for their advanced security technologies, did not provide an adequate level of protection of personal information of their users. This was reported by researchers from the University of Würzburg, who tested services for access to private information together with colleagues from the Technical University of Darmstadt (both universities are in Germany).

In their report, the authors of the experiment pointed out that all three messengers, included in the version of the profile resource TechRadar and the developer of anti-virus solutions Avg, in the top five most secure, disclose the personal data of users through contact search services by phone numbers stored in the address book. This is due to the fact, according to researchers, that any of these messengers on the first launch on a mobile device for its correct operation requests access to the contacts of the owner of the gadget. Having received it, later on they upload the list of contacts to the developer company’s servers with a certain periodicity.

What data was publicly available

According to the authors of the study, they used very few resources to parse all three messengers, but even with their help they gained access to significant amounts of data. For example, in the course of their experiment, they scanned 10% of WhatsApp user numbers in the U.S. and 100% of Signal user numbers, which is known to be Edward Snowden’s favorite messenger. In 2015, he stated that he was using the app every day (apparently to contact journalists).


The high popularity of communication services does not mean that they are completely safe

The researchers have at their disposal all the data that people lay out in their profiles. Among them were account photos, nicknames, statuses, last date and time of connection to the service, etc.

Data analysis allowed to compile some statistics on user behavior. For example, most of them do not change the privacy settings, leaving them as they were when registering in the messenger, and the basic settings in most of these types of services do not provide this most privacy.

The researchers also found that about 50% of WhatsApp users in the US have a public photo of their account. Moreover, 90% do not hide the information they have posted in the “About” section.

Experts also noted the fact that 40% of Signal users, originally positioned as the most secure messenger and aimed at those who are concerned about privacy, have fully open profiles at WhatsApp.

Telegram, on the other hand, differs from its two competitors. Researchers were able to use it to get phone numbers even of those people who are not registered in this messenger, but are in the lists of contacts of users who have an account in it.

What could this threaten

Even considering that there is no really important information in the messenger user profiles that cannot be disclosed to third parties (bank card numbers, passport details, etc.), the available information can be used by attackers for their own purposes. Messengers do not have strict registration rules, which allows them to create in them many accounts with stolen information, for example, for fraudulent activities. The same is common in social networks – a cybercriminal creates a clone of someone’s page and starts, for example, to ask for money from those people who are on the list of friends of the owner of the real profile.

How to protect against scanning

The authors of the research stated that the type of information that hackers or attackers can get about this or that user of the service depends on the user. To be more precise, they depend on the privacy settings he has chosen.

The messengers themselves also have a certain influence on the dissemination of personal data. Thus, if WhatsApp and Telegram transmit to their servers the entire contact list, Signal sends instead only short hashes of phone numbers, which makes it difficult to find information. Nevertheless, a study of German specialists showed that it is possible to derive phone numbers from hash values using special tools in milliseconds.

Messengers “rent out” their users

WhatsApp, Signal and Telegram cannot be considered truly reliable means of communication. Each of them has vulnerabilities that allow easy access to information that is not intended for outsiders.

For example, in August 2020. CNews reported finding the most basic way to intercept other people’s messages in Telegram using the Favorites contact. At the time of publication of the material, the vulnerability has been removed.

In June 2020, it became known that some phone numbers tied to user profiles in WhatsApp, for a long time were in the public domain and even got into the Google search output. In total, with the help of Google could be found up to the number of about 300 thousand messenger users, and this problem was also global.

But Signal has distinguished itself more than others. In October 2018 it turned out that when switching from Signal as an extension for Chrome browser to its desktop version (Signal Desktop), the messenger puts all correspondence on the disk of the user’s device in unencrypted form, and along with all attachments. The application then automatically reimports all these dialogs, but at a certain time, everything that should be encrypted lies on the disk in plaintext. This allows copying any information from any correspondence without the need to decrypt it.



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: