Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk

Users' phone numbers are popularly used for finding friends in instant messaging (IM) services. In this paper, we present a new security concern about this search feature through a case study with KakaoTalk which is the most widely used IM in Korea. We demonstrate that there are multiple ways of collecting victims' personal information such as their (display) names, phone numbers and photos, which can be potentially misused for a variety of cyber–criminal activities. Our experimental results show that a user's personal data can be obtained automatically (0.26 s on average). The results also indicate that a large portion of KakaoTalk users (72.8%) have used real or real-like names in their profiles, which means that our discovered enumeration attacks seem to be practically dangerous. To mitigate these attacks, we present three countermeasures including a misuse detection system that can discover abnormal application activities within a certain time-window.