Tag Archives: WhatsApp

What’s Up, with WhatsApp

Posted on by

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

OSINT & Messenger Apps

Posted on by

(First Published On Medium January 2020)

Throughout 2019 one thing that is obvious about the OSINT community is how much work people do in their own time and how willing they are to share their work.

So I decided that over the Christmas Holidays I would look at the many messenger apps that are available and see what information could be leveraged using a Subject’s mobile phone number. I wanted to see what information could be obtained from the app and the desktop versions. This is very much a whistle stop tour and please take what I have done and build on it.

Below is an illustration of which apps are popular across the Globe.

Source www.messengerpeople.com

Much of what you will be able to discover about a target mobile number will depend not just on the privacy settings of your target app but also your privacy settings.

It is important to learn how each app works and what potential trace you leave your Subject to see.

All the apps seen here offer the investigator / researcher different things and rely somewhat on the on the information that the target has supplied when creating their accounts.

Strava, Voxer, Skype, have the potential to give location information and other personal information. Apps such as GroupMe, Line, Skype, Strava,Telegram, Wire will provide you with the name that the target has provided when the account was created and not the one that you may have created in your contacts.

Apple Facetime and Google Duo do not seem to offer much in relation to profile photo or personal information. Where they do come in useful however is that you are able to potentially confirm the existence of an Apple or Google account.

Facebook, Facebook Messenger and Instagram appear to make searching contacts difficult in that they will blend you contact in amongst other people so obfuscating your Subject.

You have to sometimes be patient too as not all the apps sync straightaway or are consistent in how often they sync.

Google Duo - App & Website

Confirms a person is on Duo.
It will tell the person that you have added them to your contacts that you are now on Duo too, so this may be an issue depending on what your objective is.
For those in LE however it does present an opportunity because you have a real world number associated with a Google product.

Facebook Messenger - App / Website

Profile Picture and details from a Facebook bio.

Facetime


What I have noticed is that if you add a contact on an Apple I-Phone it will tell you whether that contact number is on Facetime. So we can easily establish that your subject is potentially using an Apple product.
For those in LE it presents an opportunity because you have a real world number associated with an Apple product.

GroupMe - App / Website

Will provide Profile photos the name of the contact on the Server not from your phonebook.

ICQ - App / Website


Profile Picture, Nickname, Name, BIO & last seen.
Will show when someone is on-line.

IMO - App / Desktop

Profile Picture and also the name they have provided to their account as well as last seen.
It will show the other person if they are on IMO that you have joined and that you have added then to your contacts.
IMO also shows everyone who is presently on-line (not just your Subject) and also nearby groups but this is something I am still exploring.

Line

Profile picture. The other person has to have altered the settings to allow them to be added as a contact
Your subject will see you as a Friend / Friends Recommendation depending on their phone. It will also show when someone is on-line.
When you click on your contact it will show the name you have given them but underneath it will also show you the name they have given them themselves, as their display name.

Skype - App / Desktop

Skype is one of my favourites as people who use it tend to give up more information, which I assume is down to the fact this is a professional / business messenger service.
Skype will display, username, profile picture. It will provide the name as per the server not your contacts, also location information of where they say they are from along with a date of birth.

SOMA - App

Profile Picture, last scene online, status (Very similar to Whatsapp)

Telegram - App / Desktop

You can see a user’s profile photo, username and bio along with their last seen.
If you are using the desktop client of Telegram it will show their previous profile photos too.
Now I have had mixed results depending on the device I have been using. If your Subject  is not on Telegram it will tell you how many of their contacts are.
One of my favourite bloggiest @aware-online has an excellent tutorial on how geolocate groups on Telegram.

Strava

Will show profile picture and the name on Strava server not in your contacts. Will also show the location they are from if this field has been completed and Bio info.

Viber - App / Desktop

Viber will enable you to see a person’s profile picture as well as last seen, online. (Very similar to Whatsapp)

Voxer

• Profile Picture, username, location of where they say they are from.

WeChat - App

• I am still working with this one as I am having issues with the web version.
• With WeChat you have to get another user to scan your QR code to enable you to use the app.
• You can see a person’s profile picture.
• Similar to Telegram you can see nearby users which will show you their profile picture and name.

WhatsApp ¬– App / Desktop

Profile picture, Last seen, Status & About Me.
Even if, “Last Seen,” is disabled and their privacy settings are locked down you can still appear to be able to see when your subject is on-line.

Wickr – App / Desktop

Username & profile picture.
You can choose to add a phone number too which is then searchable, email and names are also searchable. You can see their online status. You can search for rooms.

Wire - App / Desktop

Profile username, picture and name from Wire servers.

Now I have left this one to the last:-

Signal - App / Desktop


From what I can see it is very difficult to leverage anything from Signal apart from confirmation that somebody has the app. For those who like their privacy this may just be the app for you.