Researchers were able to figure out which American phone numbers use Signal

Privacy flaws in contact discovery have led to a research team being able to enumerate all American Signal users. Enumeration means that using the contact discovery built into the Signal app, researchers were able to perform a large-scale crawling attack and figure out which American phone numbers were attached to a Signal account. The new research paper was released by Christoph Hagen, Christian Weinert, Christoph Sendner, Alexandra Dmitrienko, and Thomas Schneider. It is titled: “All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers.”

Current contact discovery implementations have a lot of privacy flaws – even in otherwise private apps

The paper highlights the privacy flaws of contact discovery APIs utilized by most messaging apps – including ones recommended for privacy such as Signal, Telegram, and WhatsApp.  When you sign up for a messaging service like WhatsApp, an entire list of your contacts is sent to the centralized service unencrypted which has the side effect of leaking your social graph. Some messaging services, like Signal, have improved on that archaic model and send hashed copies of contacts to evaluate; however, said hashes are likely reversible by the service provider. Of course, it’s possible for the apps to infer this information just from metadata, and it’s naive to think they don’t.

All American Signal users enumerated due to contact discovery privacy flaws

The authors described their enumeration process which highlights the most glaring privacy flaw from current contact discovery implementations:

“Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal.”

Some implementations of contact discovery are better than others. The researchers noted that Telegram seemingly leaked additional contact information – even for those contacts that don’t use Telegram:

“For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.”

Through their research, the paper’s authors were even able to gather data on how many phone numbers use both Signal and WhatsApp or Telegram and Signal or any combination of the three. Some people might not see the privacy implications of leaking your social graph, or being enumerated as a user of a service; however, the potential for damage is there.

The researchers explained:

“The simple information whether a specific phone number is registered with a certain messaging service can be sensitive in many ways, especially when it can be linked to a person. For example, in areas where some services are strictly forbidden, disobeying citizens can be identified and persecuted.”

Persecution for using encryption and privacy apps is a very real threat in multiple jurisdictions in the world. All hope isn’t lost, though, the paper points out novel techniques for mitigating contact discovery’s privacy flaws and hopefully we see them implemented by otherwise very privacy forward companies. Not tying phone numbers to encrypted messaging apps would be nice, too.