In group chats on various instant messaging apps (such as WeChat, WhatsApp, Telegram, LINE, Signal, Facebook Messenger, etc.), there are often many group members. In practice, it is possible — and technically not difficult — to indirectly obtain group members’ phone numbers using certain techniques. The principle is as follows:
Step 1 — Obtain the contact list
For example, if a group is a residential owners’ group, an attacker may try to obtain the contact list of the building’s owners. Consider how real estate agents or renovation companies easily get owners’ contact lists — this shows it is not difficult.
If the group is a parents’ group, the attacker will try to obtain the parents’ contact list; if it is an event or conference group, the attacker will try to obtain the attendees’ contact list.
If the actor is a property manager, school teacher, event organizer, or another insider, obtaining these contact lists becomes even easier.
Step 2 — Build mappings between phone numbers and profile pictures
An attacker can, by data scraping or API requests, iterate through phone numbers in the target number ranges and use the instant messaging app’s “add contact” or phone-number-lookup function (without actually adding the contacts) to obtain the profile picture and display name associated with each phone number. The attacker stores these mappings locally — i.e., phone number A → profile picture A / display name A; phone number B → profile picture B / display name B.
This method is not only applicable to WeChat, but also to platforms that allow phone-number-based user lookup, such as WhatsApp, Telegram, LINE, Signal, and Facebook Messenger.
Step 3 — Reverse-match phone numbers
When the attacker obtains the profile pictures of one or more group members, they can compare those pictures with the locally built database using image similarity matching and thereby infer which phone numbers correspond to which group members. For example, profile picture A matches phone number A; profile picture B matches phone number B.
In this way, the attacker can indirectly obtain group members’ phone numbers.
Security and mitigation strategies:
(1) Personal user protection measures
Individual users can disable the “find by phone number” / “search by phone” feature according to each platform’s settings to reduce the risk of reverse matching. For example:
WeChat: Go to Me → Settings → Privacy → Friend Permissions → Ways to Add Me, and turn off the “Mobile Contacts” search entry.
WhatsApp: Adjust “Who can see my profile photo, about, status” under Privacy → Profile Info.
Telegram: Go to Settings → Privacy & Security → Phone Number, and set it to “My Contacts” or “Nobody.”
LINE: In Settings → Privacy Management → Allow others to add me by ID or phone number, turn off the corresponding options.
Signal: Turn off the “Discoverable by phone number” option so only known contacts can find you.
Using these methods severs the pathway by which accounts are discovered via phone number at the source, significantly reducing the chance of being reverse-matched.
(2) Platform security optimization suggestions
Instant messaging platforms (including WeChat, WhatsApp, Telegram, LINE, Signal, Messenger, etc.) could consider system-level privacy protections. For example, platforms could apply differentiated handling of user profile images depending on the lookup method or relationship: show a first (possibly obfuscated or lower-resolution) avatar when a user is found via phone-number search, a second avatar for group-member views, and only show the full-resolution default avatar in established social relationships. This approach would make it harder for attackers to match a user’s profile picture to their phone number.
Top comments (0)