Junkyu Kang (KAIST), Soyoung Lee (KAIST), Yonghwi Kwon (University of Maryland), Sooel Son (KAIST)
Mobile messaging apps have become an integral part of daily communication with massive user bases (e.g., over 950 million on Telegram and 48.7 million on KakaoTalk). To boost user engagement and user base, messaging apps offer diverse context-rich and platform-specific features, such as nearby user search, contact discovery, and single sign-on (SSO)-based account linking. While these features enable users to adopt multiple messaging apps on a single mobile device, they also introduce privacy risks of linking private user information across multiple message apps, which remains understudied.
This paper presents an in-depth analysis of privacy threats in widely used messaging apps in South Korea, including KakaoTalk, Telegram, WhatsApp, Signal and Tinder, demonstrating concrete attacks exploiting their contact discovery, SSO-based account linking, and nearby user search features to compromise user privacy. More importantly, we chain the attacks to conduct the first cross-platform linking attack, which enables adversaries to deanonymize user names and infer users’ physical locations with an average error margin of 324 meters for a large number of untargeted and targeted users. Our findings highlight that securing contact discovery is crucial as permissive contact discovery policies allow adversaries to exploit phone numbers and profile images as linking keys to connect private user information across multiple messaging apps. We discuss and propose mitigation strategies to alleviate the presented threats.