%0 Thesis %1 pastukh2023email %A Pastukh, Andrii %D 2023 %I Bachelor Thesis %K sss-group sssgroup thesis_supervised_by_sss_member %T Email Discovery in Modern Applications %X Email Discovery and Contact Discovery are processes that allow a user to find out which contacts from his phone book are using the same service. In the first case, the email address is used as an identifier, and in the second, the phone number. However, these processes come with privacy vulnerabilities that need to be addressed. One significant vulnerability is the potential for uploading all contacts and data of individuals who have not explicitly given permission for their information to be shared. When a user grants access to their phone book or contact list to a service, the people listed in their contacts have not necessarily consented to their data being uploaded to the server. This problem opens up the possibility of unauthorized access to sensitive data by third parties or even employees of the service provider. Data leaks and server attacks are also potential risks. Additionally, enumeration and crawling attacks pose threats by exploiting the ability to access data from a user’s phone book during the Email or Contact Discovery process. The danger of crawling attacks lies in the fact that they can be carried out without requiring special equipment or in-depth knowledge of the process for each specific service. As shown in the previous work, almost all modern instant messengers that use Contact Discovery are vulnerable to such crawling attacks. The purpose of our work is to study the possibility of carrying out crawling attacks on services that use an email address as an identifier, i.e., applications using Email Discovery. We consider instant messengers, job search applications, as well as gaming platforms and other applications. Our work shows that there are three applications using Email Discovery that turned out to be vulnerable to such crawling attacks: Xing, LinkedIn, and Google Contacts. To do this, we generate millions of email addresses that are then uploaded to the services to get information about whether the user is registered and to discover what data we can get with this information. The attacks carried out manually on the LinkedIn and Xing services proved to be ineffective primarily due to the implementation of Rate Limits. These limits restrict the number of requests allowed within a specific time frame, thereby hindering the success of our attacks. Additionally, the inclusion of user IP Address verification further contributed to the inability to extract user data successfully. As a result, the outcome of our attacks yielded insufficient results in terms of accessing and retrieving user data. The attack on the Google Contacts application shows the most devastating results. We develop a crawler, which allowed us to carry out a major crawling attack on this application. As a result, we are able to check 3046656 generated contacts. We also find that there are no Rate Limits enforced by Google to prevent such attacks. Thus, we show that, using a regular user PC, it is possible to carry out a crawling attack and find out such personal data of users as first name, last name, photo, links to other social networks, as well as online status. Furthermore, we analyze existing methods for protecting the Email Discovery process and propose privacy enhancements for the Google Contacts service.

@mastersthesis{pastukh2023email, abstract = {Email Discovery and Contact Discovery are processes that allow a user to find out which contacts from his phone book are using the same service. In the first case, the email address is used as an identifier, and in the second, the phone number. However, these processes come with privacy vulnerabilities that need to be addressed. One significant vulnerability is the potential for uploading all contacts and data of individuals who have not explicitly given permission for their information to be shared. When a user grants access to their phone book or contact list to a service, the people listed in their contacts have not necessarily consented to their data being uploaded to the server. This problem opens up the possibility of unauthorized access to sensitive data by third parties or even employees of the service provider. Data leaks and server attacks are also potential risks. Additionally, enumeration and crawling attacks pose threats by exploiting the ability to access data from a user’s phone book during the Email or Contact Discovery process. The danger of crawling attacks lies in the fact that they can be carried out without requiring special equipment or in-depth knowledge of the process for each specific service. As shown in the previous work, almost all modern instant messengers that use Contact Discovery are vulnerable to such crawling attacks. The purpose of our work is to study the possibility of carrying out crawling attacks on services that use an email address as an identifier, i.e., applications using Email Discovery. We consider instant messengers, job search applications, as well as gaming platforms and other applications. Our work shows that there are three applications using Email Discovery that turned out to be vulnerable to such crawling attacks: Xing, LinkedIn, and Google Contacts. To do this, we generate millions of email addresses that are then uploaded to the services to get information about whether the user is registered and to discover what data we can get with this information. The attacks carried out manually on the LinkedIn and Xing services proved to be ineffective primarily due to the implementation of Rate Limits. These limits restrict the number of requests allowed within a specific time frame, thereby hindering the success of our attacks. Additionally, the inclusion of user IP Address verification further contributed to the inability to extract user data successfully. As a result, the outcome of our attacks yielded insufficient results in terms of accessing and retrieving user data. The attack on the Google Contacts application shows the most devastating results. We develop a crawler, which allowed us to carry out a major crawling attack on this application. As a result, we are able to check 3046656 generated contacts. We also find that there are no Rate Limits enforced by Google to prevent such attacks. Thus, we show that, using a regular user PC, it is possible to carry out a crawling attack and find out such personal data of users as first name, last name, photo, links to other social networks, as well as online status. Furthermore, we analyze existing methods for protecting the Email Discovery process and propose privacy enhancements for the Google Contacts service.}, added-at = {2024-10-14T14:47:56.000+0200}, author = {Pastukh, Andrii}, biburl = {https://www.bibsonomy.org/bibtex/274127547ac42d69f57572ea203fa10f5/sssgroup}, interhash = {874f681c936c483604c867de9a410cb4}, intrahash = {74127547ac42d69f57572ea203fa10f5}, keywords = {sss-group sssgroup thesis_supervised_by_sss_member}, month = {July}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, timestamp = {2024-10-14T14:47:56.000+0200}, title = {Email Discovery in Modern Applications}, type = {Bachelor Thesis}, year = 2023 }