Breaking & Fixing Contact Discovery in Mobile Messengers (2020)

I asked myself which messengers upload (all) contacts.

Groups at Universities came up with two papers in 2020 that are relevant for a privacy focused mobile operating system. I searched the forum if they came up yet but didn’t have hits, apologies for duplicates. Both papers are summarized at

  • “All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers” [HWSDS21] (Paper)

  • “Privacy-preserving Mobile Contact Discovery with Private Set Intersection” [KRSSW19] (Video / Paper)

The group looked at major messengers and how they manage contact discovery, if local contacts are uploaded, in what form and if messenger APIs can be abused to leak user info by mass crawling (similar to how facebook recently leaked 500M phone numbers via their api).

A quote from the press release

WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers. More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds

(with disclosures in Sept’ 2020 providers have improved countermeasures at least to the mass-crawls)


Facebook users received friend recommendations of strangers who happened to see the same psychiatrists.

This seems weirdly appropriate, considering it’s Facebook.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.