WhatsIdent: How I identified people by using WhatsApp profile pictures
Two years ago I developed a project with my professor Norbert Pohlmann which we named SocielIdent. In the context of this project we tried to find out whether itâs possible to identify people in the street by taking their picture or entering their name. We used LinkedIn, Xing, and Facebook as sources and tried to find the target personâs social network accounts on these social networks. We tested it on 158 people and determined that itâs partially possible. You can get more information about this project here.
A few months ago I started to analyse WhatsApp to find an answer to a similar question to the one above. Could I identify and find a person and his friends or relatives just by taking his picture?
Yes, it was possible. I found peopleâs phone numbers, friends, relatives and social network profiles by just using their pictures.
See how I did it:
My Toolkit
1. An Android emulator â I used NoxPlayer
2. WhatsAppâs APK file â https://whatsapp.com/download (i used WhatsApp Business)
3. A phone number to create a new WhatsApp account â I bought one (can be blocked by WhatsApp)
4. A tool to generate cell phone numbers â I developed my own
5. A tool to download profile pictures from WhatsApp â I developed my own
6. A web crawler â I developed my own.
7. Face recognition software â I was sponsored by Ayonix.com.
1. Creating Contact List
Firstly I installed the Android emulator NoxPlayer on my PC. Then I installed WhatsApp on the emulator. I generated 70,000 random cell phone numbers. I didnât generate them in an ascending order because WhatsApp could detect it and block me. From these 70,000 phone numbers I created 70,000 contacts (in the VCF format). Each contact had a surname and family name â the names I generated werenât dummy data. I used an English name directory to generate real full names. Finally I imported them into my emulator which took over 30 minutes.
Why did I create random phone numbers?
We donât have a public dataset where we can find registered cell phone numbers. Thatâs why i created my own dataset. There are more than 2.71 billion smartphone users worldwide and 1.5 billion active WhatsApp users. That means that if we could find a registered cell phone number, we would probably also find a WhatsApp user.
I got all the contacts on my Android, installed WhatsApp, and created a new account with the cell phone number which I had bought. WhatsApp took over two hours to scan all my contacts and create my WhatsApp contact list. Then I had more than 15,000 contacts in my WhatsApp. That means that the other 55,000 phone numbers from my dataset either werenât registered on WhatsApp or werenât registered cell phone numbers.
2. Storing Profile Pictures
I started to download all profile pictures of my WhatsApp contacts. I was able to download more than 9,000 profile pictures.
Because of its exploitability I wonât give out any technical details about this part.
What about the other 6,000 contacts?
We are not allowed to see everybodyâs profile picture on WhatsApp. We can only see somebodyâs profile picture if:
â he has our number in his contacts
â he sets his profile picture as public.
âProfile picture as publicâ This is the most important factor in this research project. More than 60% of my contacts set their profile pictures as public. I downloaded all the profile pictures and assigned each picture to its phone number.
After I got all profile pictures on my PC I used Ayonixâs face recognition to find how many people had a face in their profile pictures. 73% (6,570 people) of these profile pictures contained at least one face. The others contained other things: a dog, cat, landscape etc. I also determined that in some profile pictures there were more than one face.
3. Match & Find
I had a face and a phone number assigned to the face. It was pretty easy to find somebodyâs phone number just by taking a picture of him. And because some profile pictures contained more than one face, it also allowed me to see who the person was in contact with. After I identified his phone number I wanted to find his social network accounts (e.g. Facebook).
There are several ways to find a Facebook profile by a phone number. I will describe two that I tested.
Method 1:
Facebookâs password recovery function: If somebody added his phone number to Facebook, it allows him to recover his password by entering the phone number. Facebook shows peopleâs names and profile pictures on the password recovery page when you enter the phone number. So now I know who the guy is. Then I searched for his name on Facebook and downloaded all profile pictures by using my web crawler, and I matched Facebookâs profile pictures to the original images (also possible: to his profile picture on the recovery page as itâs possible to get the profile picture in any size by changing the parameter square_px in the image URL).
Method 2: (this method no longer works!)
Another way to find peopleâs profile by their phone numbers is the function to block people. Itâs enough just to enter the phone number in folowing URL:
https://www.facebook.com/browse/block_users?q=00123456789
To confirm the blocking Facebook will show us the profile and weâll have it!
Note: This method no longer works because of the last leak (s. here)
tl;dr
The question was whether it was possible to identify a person by taking a photo of him. To research it I used and developed some tools and apps (WhatsApp, face recognition, web crawler..):
1. I generated random phone numbers and synced them with the WhatsApp contact list.
2. I downloaded profile pictures which were public and matched them to the searched personâs people to find his phone number.
3. I searched peopleâs profiles on Facebook by using their phone numbers.
I found out that itâs generally possible to identify people when profile pictures contain their faces and are set as public.
Suggestions
I wanted to show how technically it is today easy to identify people by their profile picture.
Hereâre my recommendations to avoid possible exploitations:
1. Always set your profile picture on WhatsApp, similar apps and platforms as private.
2. Use profile pictures which make face recognition softwares impossible to detect your face:
a. use pictures that donât contain your face
b. use pictures that contain only a part of your face
c. apply a filter to your pictures (e.g. faceshield.ai) before uploading them.
Follow me on Twitter: https://twitter.com/nrllah/
ComentĂĄrios
Postar um comentĂĄrio