How to abuse contact list syncing for OSINT/DOX

In this purely educational post which doesn’t encourage anyone to try anything, I want to demonstrate dangers of linking phone numbers to social media accounts, because it’s bad to dox people and bad to get doxed. Unless the end justifies the means.

In this example I’m using Twitter as a platform, which actually fixed that country code leak, but still allows you to see how some user’s phone number ends depending on how they’ve set up their account and in some cases see some characters of their email address, but in this example I’m just focusing purely on phone numbers, because phone numbers are more exiting than just email addresses. Other services than just social media may have same sort of functionality as Twitter.

Now, what can we do with this information? Well we know now, that the phone number ends with 51 and that’s all. We no longer can see which is the user’s country code but no problem. We could e.g:

  • Make the target click an IP logger link, preferably try to do that when the target is most likely using their phone. It’s possible to make statistics about when and which platform the user uses for tweeting by using Twitter API.
    • You get the assumed country code by geolocating the IP
  • Just make assumptions based on tweets. Even knowing the timezone and language used by account can help in this case.

In the end we have the information we want. Let’s now assume that the phone number starts with country code +358 and ends with 51. Next we have to study the telephone numbering plan in that country and +358 matches Finland.

Luckily Wikipedia helps us a lot and gives us a list of number prefixes that come after the country code in Finland. If you used e.g. IP logger on the target and also managed to capture the ISP that target used which could in Finland be e.g. Elisa or Telia or DNA or some smaller company; it makes your next steps easier if you’re right about ISP.

If the target would be in Elisa network, one of the known Elisa number prefixes is 045. Because we know now that the prefix could be that or many other Elisa prefixes, we know that the number is anything between +35845[xxxxx]51 (+the other combinations with other Elisa prefixes of course). That leaves us 5-10 unknown digits in the phone number because phone numbers in Finland are usually 7-12 digits long.

Contact list generation idea

To abuse the ability to sync the contact list on the social media platforms we need to generate all the possible phone numbers in the unknown range and with possible prefixes. You can use any method you wish to do so, but the basic idea is to just create VCARD files, that you can import into your phone.

Basically you just need to create an imaginary person for each phone number you create in a VCARD format that your phone supports. Because it means that there’re lots of numbers, it also means that the import process is painfully slow and also is the syncing of contacts. 

Also just creating a huge VCARD file without slicing it is meaningless. To get the phone number behind the user you need to slice it to even parts and sync them one by one to see if any of them will match to any user you’re looking for. The syncing is done by first importing the generated VCARD slice into phone memory and then importing it in the File Manager.  Then you can just login to Twitter and sync all your lovely contacts.

Chances are that you’re going to see loads of random users that you’re not even after. But when the slice of VCARD containing X amount of phone numbers matches the target, you take that slice and slice it again and see which which side has the user you’re looking for and obviously continue as long as you’ve only one match.

To reduce time needed for syncing you can use loads of phones, like they use in those chinese click farms or you can try running a number of virtual Android machines.

Leave a Reply

Your email address will not be published. Required fields are marked *