Search Icon
2027 Submissions

Connecting the Dots: An Investigative Study on Linking Private User Data Across Messaging Apps

Junkyu Kang (KAIST), Soyoung Lee (KAIST), Yonghwi Kwon (University of Maryland), Sooel Son (KAIST)

Mobile messaging apps have become an integral part of daily communication with massive user bases (e.g., over 950 million on Telegram and 48.7 million on KakaoTalk). To boost user engagement and user base, messaging apps offer diverse context-rich and platform-specific features, such as nearby user search, contact discovery, and single sign-on (SSO)-based account linking. While these features enable users to adopt multiple messaging apps on a single mobile device, they also introduce privacy risks of linking private user information across multiple message apps, which remains understudied.

This paper presents an in-depth analysis of privacy threats in widely used messaging apps in South Korea, including KakaoTalk, Telegram, WhatsApp, Signal and Tinder, demonstrating concrete attacks exploiting their contact discovery, SSO-based account linking, and nearby user search features to compromise user privacy. More importantly, we chain the attacks to conduct the first cross-platform linking attack, which enables adversaries to deanonymize user names and infer users’ physical locations with an average error margin of 324 meters for a large number of untargeted and targeted users. Our findings highlight that securing contact discovery is crucial as permissive contact discovery policies allow adversaries to exploit phone numbers and profile images as linking keys to connect private user information across multiple messaging apps. We discuss and propose mitigation strategies to alleviate the presented threats.

Paper
Slides
Video

View More Papers

TENSURE: Fuzzing Sparse Tensor Compilers (Registered Report)

Kabilan Mahathevan (Department of Computer Science, Virginia Tech, Blacksburg), Yining Zhang (Department of Computer Science, Virginia Tech, Blacksburg), Muhammad Ali Gulzar (Department of Computer Science, Virginia Tech, Blacksburg), Kirshanthan Sundararajah (Department of Computer Science, Virginia Tech, Blacksburg)

Read More

Identifying Logical Vulnerabilities in QUIC Implementations

Kaihua Wang (Tsinghua University), Jianjun Chen (Tsinghua University), Pinji Chen (Tsinghua University), Jianwei Zhuge (Tsinghua University), Jiaju Bai (Beihang University), Haixin Duan (Tsinghua University)

Read More

SysArmor: The Practice of Integrating Provenance Analysis into Endpoint...

Shaofei Li (Peking University), Jiandong Jin (Peking University), Hanlin Jiang (Peking University), Yi Huang (Peking University), Yifei Bao (Jilin University), Yuhan Meng (Peking University), Fengwei Hong (Peking University), Zheng Huang (Peking University), Peng Jiang (Southeast University), Ding Li (Peking University)

Read More