The OSINT challenge was released during the live-stream of the Security BSides Athens 2022 event, as part of the talk "Baby, Don't Forget My Number: OSINT using your phone's address book" 1.
The description was simple, a simple trick discussed in the talk should be used to uncover as much information as possible from social media and instant messaging services for a given "target", for whom we only know the phone number: +30 694 942 2024. When enough information would be revealed, the challenge's goal -cryptically described as "the three wills"- would make sense. All of this was summarised in the slide below:
Note that a short video of this challenge description was played right after the talk and has also been uploaded on YouTube 2
As one can easily guess, accounts registered with this number had been set up across a handful of services, some relevant to the challenge and others purely as decoys, since every CTF that respects itself should employ at least one rabbit hole.
But of course, there are uncountable social media apps out there so in theory the task could be eternal. However, those who were paying attention will recall the following slide being shown during the talk which essentially limited the scope to the following services only:
For each of these services, the process was more or less the same:
- Create an account if you don't already have one
- Enable "Contact Sync" / use any "Find Friends" feature / upload your address book containing that number - to identify if the target has an account on this service
- Take note of what info their profile includes
In the sections below, we'll look at which services were involved, intentionally or not, and what they had to offer towards the challenge's solution. The order is (almost) arbitrary as they were created in a way that no more than the phone number was needed at any point in time, and thus had no inter-dependencies. With each service, a brief explanation for its selection will be provided.
It's also worth reminding that to avoid sharing your entire address book everywhere everytime, one could instead decouple the signup process, by using an Android emulator (=empty address book) and still login using a real phone number bound to a SIM card inserted on another (e.g. their personal) device to receive OTP codes. While this practice was caveated in the talk for potential in-app defenses, none of the services eventually used had any objections for the simulated/root environment.
WhatsApp was selected as the unanimously most prevalent instant messaging app globally 3. Additionally, it's owned by the Meta conglomerate which controls the unholy quartet of digital communications -completed by Instagram, Facebook and it's Messenger- allowing them to aggregate and correlate troves of data about their users (and non-users). Literally everything except the messages themselves, thanks to End-2-End Encryption! ™ 4.
This one was pretty straight-forward. As soon as the "Contacts" permission was accepted, simply listing possible recipients to send a message to (no need to actually send any messages #OPSEC) would reveal the target's account, along with a mysterious status update:
TikTok is nowadays extremely popular and the most up-and-coming social app, yet only a few years ago it was popular for more sinister reasons. At some point before stardom, ca 2019, it was well known to authorities as the "pedophile's favorite place". 5 Whether the situation has gotten any better with the recently increased spotlight remains to be seen...
Another account discovered quickly and trivially by the contestants was on TikTok. As can be seen in the profile below, there was one more cryptic character sequence that brought us one step closer to the solution:
The choice here was more for ease-of-use, as almost everyone has an Instagram account these days already set up. Not too easy though...
Here things got tricky. Instagram's friend suggestion algorithm is a bit fuzzy, as it doesn't just match your contact's accounts to present their profiles straight away, but instead it mixes any "hits" with generally popular accounts and even some related people that you never officially marked as related to you. Creepy! To make matters worse, friend suggestions change asynchronously and at random intervals, requiring some messing around to find what triggers this process.
When creating the Instagram sockpuppet these problems did not come up, but as reported by a contestant, the following suggestion combo took a few tries and some manual effort to finally include the target:
Due to these quirks, and to keep the challenge as deterministic and reproducible as possible, I decided to offer a second way of finding the Instagram profile, through the TikTok one. Go ahead, scroll up and look at the TikTok pic once again - it was right there all along.
One way or another, the Instagram piece of the puzzle (bWF) was gathered. Moving on.
A hint for the selection of WeChat was given during the talk, when it was mentioned as one of the three applications critical for specific regions. Weixin, known internationally as WeChat, is China’s most popular messaging application 6 with functionality reaching far beyond typical IM apps, including gaming, mobile payments, and even ride hailing,
Most importantly though, user activity on WeChat is analysed, tracked and shared with the authorities upon request as part of the mass surveillance network while it also actively censors politically sensitive topics within mainland China 7.
The last piece of the puzzle was planted in the target's WeChat profile. Looking up the phone number using the good-ol' trick was enough to find the account in question...
...and from there, one more click would reveal the remaining part, in the field confusingly named What's Up:
The problem however was creating a WeChat account in first place as the verification required a QR code to be scanned by an existing WeChat user. A problem that only came up during the challenge and was highlighted by contestants.
While this screen looked familiar, I could not recall how I had bypassed it when creating the challenge, as this was the first time I had ever created a WeChat account and certainly had no friends in China to verify me. To this day I insist that there is a way to bypass this, sadly without remembering exactly how, other than including something like a click on a cancel button (x) or exiting-and-reopening the app at some step of the process to mess with the underlying state. Challenge #2 material I suppose.
Moreover, I was informed by the contestant who first solved the challenge that in (not so) dark corners of the internet, certain groups exist that anonymously and instantly scan such WeChat QR codes posted with no reward. Without publicly naming such a place, I confirmed that one doesn't need to look far to get this sort of help AHEM facebook AHEM.
In any case, since the challenge was running I decided to give another hint for this by sharing the target's WeChat ID somewhere else, thus enabling the use of random, online search-by-wechatID services to get the profile info required for the challenge. And that "somewhere else" was chosen to be... drum roll... yet another IM app!
A Viber account for the target was initially created but was later decided not to be included in the challenge (yes, this was the rabbit hole), as it offered a much more powerful lookup feature requiring no address book upload at all. Instead, just providing the number in the field under "More > Add Contact" was enough to reveal the Viber profile and all its public info:
When the WeChat issue became a blocker, I updated the Viber profile info to redirect contestants to WeChat:
Whoever pinged me for help was prompted to check (or re-check) the Viber account after this change, but this notification was not given publicly in the Discord channel. I decided that given a pretty heated discussion going on at the time related to the talks playing in the background, any (irrelevant) messages about the challenges would be lost in the noise...
In a real-life investigation the intel gathered so far would all be aggregated in the classic cork board and/or fed into other OSINT pipelines.
Of most interest to us is the set of these mysterious parts in the Bio / About me / Status fields, which to summarise are the following: w==, c6N, bWF, 0Oj
While each value on its own makes little sense; when combined they might just reveal something. As blatantly hinted by the w== one, the full sequence seems to be a Base64 encoding which should decode to something meaningful, so long as:
- all the pieces of the puzzle are found (there were four)
- and they're arranged in the correct order
Hence we try all possible permutations and come up with this: bWF0Ojc6Nw== decoding to mat:7:7 which looks like a Bible reference... Googling it, we indeed find the relevant verse, which makes sense of the whole "three wills" thing:
Footnotes
-
The video of the original talk is available on YouTube: https://youtu.be/Y8buLspJNKQ ↩
-
Original OSINT challenge video: https://youtu.be/VL2iWuhVOLQ ↩
-
Source: Statista: https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/ ↩
-
Forbes piece on WhatsApp's privacy shortcomings: https://www.forbes.com/sites/zakdoffman/2021/03/06/stop-using-whatsapp-after-facebook-apple-imessage-signal-and-telegram-privacy-backlash/?sh=452464a33e8e ↩
-
Short-video app accused of being "perfect place for predators" by DHS: https://arstechnica.com/tech-policy/2022/04/tiktok-under-us-government-investigation-on-child-sexual-abuse-material/ ↩
-
Source: Statista: https://www.statista.com/statistics/250546/leading-social-network-sites-in-china/ ↩
-
In-depth analysis by CitizenLab for both the mainland and the international versions ↩