I’ve got your number: Harvesting users’ personal data via contacts sync for the Kakaotalk messenger

Abstract

Instant messaging (IM) is increasingly popular among not only Internet but also smartphone users. In this paper, we analyze the security issue of an IM application, KakaoTalk, which is the most widely used in South Korea, with a focus on automated friends registration based on contacts sync. We demonstrate that there are multiple ways of collecting victims’ personal information such as their names, phone numbers and photos, which can be potentially misused for a variety of cyber criminal activities. Our experimental results show that a user’s personal data can be obtained automatically (0.26 s on average), and a large portion of KakaoTalk users (around 73%) uses their real names as display names. Finally, we suggest reasonable countermeasures to mitigate the discovered attacks, which have been confirmed and patched by the developers.