Titulo Estágio
Practical Contact Enumeration and Privacy Analysis of Modern Messaging Applications
Local do Estágio
DEI/CISUC
Enquadramento
Popular messaging platforms such as WhatsApp, Signal, Telegram, Snapchat, make real-time interaction easier and are considered highly secure because they offer end-to-end encryption and strong privacy features. However, such platforms depend heavily on a mechanism called contact discovery — a feature that matches users’ phone numbers with their contact lists to identify which friends are already using the app. While this mechanism offers a seamless user experience, it also introduces significant privacy and security concerns. Contact list uploading act to messaging apps, temporarily or in hashed form, can result in valuable personal information leak about registered and unregistered users.
Recent academic studies mention that large-scale crawling attacks for contact discovery are not only theoretically possible but practically can be done with modest resources. For instance, in their studies they demonstrated how attackers could query up to 100% of U.S. mobile numbers on Signal and 10% on WhatsApp to learn whether a number is registered and to extract associated metadata.
In addition to contact registration status, personal metadata such as profile pictures, usernames, last-seen timestamps, and status messages can be scrapped and analyzed. This information could result in creation of detailed behavioural and social models of individuals when combined with information from social media and public data sources. Consequently, users of these messaging apps may be subjected to persecution or targeted attacks. Another type of information that can be misused is the social graph inferred by messaging platforms — revealing who is connected to whom — which can expose intimate personal relationships. Moreover, hashing-based contact discovery protocols are not as secure as presumed. Studies show that they can be broken and use techniques such as optimized rainbow tables and reverse engineering.
The main challenge is that most messaging apps offer little to no restrictions on querying their user base. This results in the creation of an environment that vulnerable for enumeration attacks, where an adversary can systematically input large sets of phone numbers to detect which ones are registered and extract public-facing metadata.
Despite the severity of these risks, few practical, comparative studies exist that examine how different messaging platforms handle contact discovery, metadata exposure, and user enumeration in a real-world context. Most existing research has focused either on isolated platforms or theoretical vulnerabilities without providing practical tools to demonstrate and compare privacy exposures across systems.
This thesis addresses a gap in practical cybersecurity research by developing and applying real-world enumeration techniques against multiple popular messaging apps. It aims to analyze their contact discovery mechanisms, identify weaknesses, and compare how much information they leak by default. The research is particularly relevant in the current landscape where mobile privacy is under increasing scrutiny due to rising surveillance, cybercrime, and data misuse.
By implementing an extensible toolkit capable of simulating enumeration attacks, and by systematically analyzing the platforms’ resistance to abuse (e.g., through rate limiting), this thesis will offer both empirical insights and practical contributions.
Objetivo
The aim of this study is to explore and show privacy vulnerabilities in widely used messaging applications caused by their contact discovery mechanisms. The research concentrates on developing practical tools and methodologies to enumerate user accounts using various technical approaches. The main goal is to consider a comparative; real-world analysis of how various messaging platforms deal with contact discovery.
The objectives and expected results are as follow:
Implement Enumeration Contact Discovery Techniques: Practically design and apply the techniques of contact enumeration against various messaging apps, such as WhatsApp, Signal, Snapchat, Viber, Signal, and many others. The result expected contains extensible toolkit (script-based or GUI-based) that simulates enumeration of contacts.
Perform Systematic Analysis of Contact Discovery Mechanisms: Research on of how various messaging apps implement contact discovery, and how they prevent against its abuse.
Analyze Exposed User Metadata: Categorize the types of metadata retrieved from both registered and unregistered contacts. For instance, profile picture, username and status message can be obtained as a result.
Compare Privacy Exposure Across Platforms: Assess and compare the degree of privacy leakage across different messaging apps, considering ease of enumeration and volume of exposed data. As a result, a scoring system containing the ranks of the apps based on: enumerability (ease of confirming if a number is registered), metadata availability (quantity and sensitivity of leaked info) and privacy defaults (what is publicly visible by default).
Additionally, it is expected to submit the results to an international conference or journal.
Plano de Trabalhos - Semestre 1
Task 1.1 – In-depth literature review
Task 1.2 – Selection of target messaging apps
Task 1.3 – Design of an enumeration framework
Task 1.4 – Ethical approval and responsible disclosure plan
Task 1.5 – Prototype implementation of enumeration for one app
Task 1.6 – Write the intermediary report.
Plano de Trabalhos - Semestre 2
Task 2.1 – Full implementation of enumeration toolkit for all selected apps
Task 2.2 – Data collection and logging
Task 2.3 – Analysis of privacy exposure
Task 2.4 – Comparative study and discussion
Task 2.5 – Write the final report and the scientific publication
Condições
The student will have access to all the computer resources needed to carry out the work. A workstation will also be provided at CISUC (Center for Informatics and Systems of the University of Coimbra). Evaluation, either by simulation or using specific hardware, can be carried out using computer resources available in the department.
Observações
This work aims to uncover real-world privacy risks that are often overlooked in theoretical discussions or security models, by focusing on practical implementation and empirical evaluation. All enumeration techniques will be performed in controlled environments using anonymized or simulated data where applicable. Real phone numbers, if used, will be randomly generated or come from consented sources solely for academic analysis. No exploitation, targeting, or disclosure of personal user information will occur outside ethical and legal boundaries. Additionally, any findings that reveal potential vulnerabilities will be responsibly disclosed to the respective service providers.
This project has potential for public impact. The tools and scoring system developed through this work may be shared with the broader research community (e.g., via GitHub or academic publications) to enable further exploration and acceptance around mobile messaging privacy.
In summary, this thesis combines technical depth and practical outcomes, with the potential to generate both academic value and real-world impact.
The work is in the scope of the CSLab activities.
Advisors:
Vasco Pereira (vasco@dei.uc.pt)
Bruno Sousa (bmsousa@dei.uc.pt)
Diyari Al Zahawi
Orientador
Vasco Simões Pereira
vasco@dei.uc.pt 📩