WhatsIdent: How I identified people by using WhatsApp profile pictures
Two years ago I developed a project with my professor Norbert Pohlmann which we named SocielIdent. In the context of this project we tried to find out whether it’s possible to identify people in the street by taking their picture or entering their name. We used LinkedIn, Xing, and Facebook as sources and tried to find the target person’s social network accounts on these social networks. We tested it on 158 people and determined that it’s partially possible. You can get more information about this project here.
A few months ago I started to analyse WhatsApp to find an answer to a similar question to the one above. Could I identify and find a person and his friends or relatives just by taking his picture?
Yes, it was possible. I found people’s phone numbers, friends, relatives and social network profiles by just using their pictures.
See how I did it:
My Toolkit
1. An Android emulator — I used NoxPlayer
2. WhatsApp’s APK file — https://whatsapp.com/download (i used WhatsApp Business)
3. A phone number to create a new WhatsApp account — I bought one (can be blocked by WhatsApp)
4. A tool to generate cell phone numbers — I developed my own
5. A tool to download profile pictures from WhatsApp — I developed my own
6. A web crawler — I developed my own.
7. Face recognition software — I was sponsored by Ayonix.com.
1. Creating Contact List
Firstly I installed the Android emulator NoxPlayer on my PC. Then I installed WhatsApp on the emulator. I generated 70,000 random cell phone numbers. I didn’t generate them in an ascending order because WhatsApp could detect it and block me. From these 70,000 phone numbers I created 70,000 contacts (in the VCF format). Each contact had a surname and family name — the names I generated weren’t dummy data. I used an English name directory to generate real full names. Finally I imported them into my emulator which took over 30 minutes.
Why did I create random phone numbers?
We don’t have a public dataset where we can find registered cell phone numbers. That’s why i created my own dataset. There are more than 2.71 billion smartphone users worldwide and 1.5 billion active WhatsApp users. That means that if we could find a registered cell phone number, we would probably also find a WhatsApp user.
I got all the contacts on my Android, installed WhatsApp, and created a new account with the cell phone number which I had bought. WhatsApp took over two hours to scan all my contacts and create my WhatsApp contact list. Then I had more than 15,000 contacts in my WhatsApp. That means that the other 55,000 phone numbers from my dataset either weren’t registered on WhatsApp or weren’t registered cell phone numbers.
2. Storing Profile Pictures
I started to download all profile pictures of my WhatsApp contacts. I was able to download more than 9,000 profile pictures.
Because of its exploitability I won’t give out any technical details about this part.
What about the other 6,000 contacts?
We are not allowed to see everybody’s profile picture on WhatsApp. We can only see somebody’s profile picture if:
● he has our number in his contacts
● he sets his profile picture as public.
“Profile picture as public” This is the most important factor in this research project. More than 60% of my contacts set their profile pictures as public. I downloaded all the profile pictures and assigned each picture to its phone number.
After I got all profile pictures on my PC I used Ayonix’s face recognition to find how many people had a face in their profile pictures. 73% (6,570 people) of these profile pictures contained at least one face. The others contained other things: a dog, cat, landscape etc. I also determined that in some profile pictures there were more than one face.
3. Match & Find
I had a face and a phone number assigned to the face. It was pretty easy to find somebody’s phone number just by taking a picture of him. And because some profile pictures contained more than one face, it also allowed me to see who the person was in contact with. After I identified his phone number I wanted to find his social network accounts (e.g. Facebook).
There are several ways to find a Facebook profile by a phone number. I will describe two that I tested.
Method 1:
Facebook’s password recovery function: If somebody added his phone number to Facebook, it allows him to recover his password by entering the phone number. Facebook shows people’s names and profile pictures on the password recovery page when you enter the phone number. So now I know who the guy is. Then I searched for his name on Facebook and downloaded all profile pictures by using my web crawler, and I matched Facebook’s profile pictures to the original images (also possible: to his profile picture on the recovery page as it’s possible to get the profile picture in any size by changing the parameter square_px in the image URL).
Method 2: (this method no longer works!)
Another way to find people’s profile by their phone numbers is the function to block people. It’s enough just to enter the phone number in folowing URL:
https://www.facebook.com/browse/block_users?q=00123456789
To confirm the blocking Facebook will show us the profile and we’ll have it!
Note: This method no longer works because of the last leak (s. here)
tl;dr
The question was whether it was possible to identify a person by taking a photo of him. To research it I used and developed some tools and apps (WhatsApp, face recognition, web crawler..):
1. I generated random phone numbers and synced them with the WhatsApp contact list.
2. I downloaded profile pictures which were public and matched them to the searched person’s people to find his phone number.
3. I searched people’s profiles on Facebook by using their phone numbers.
I found out that it’s generally possible to identify people when profile pictures contain their faces and are set as public.
Suggestions
I wanted to show how technically it is today easy to identify people by their profile picture.
Here’re my recommendations to avoid possible exploitations:
1. Always set your profile picture on WhatsApp, similar apps and platforms as private.
2. Use profile pictures which make face recognition softwares impossible to detect your face:
a. use pictures that don’t contain your face
b. use pictures that contain only a part of your face
c. apply a filter to your pictures (e.g. faceshield.ai) before uploading them.
Follow me on Twitter: https://twitter.com/nrllah/
Comentários
Postar um comentário