Sync Contacts: A un-noticed goldmine of OSINT
Have you ever thought that is it safe to give your phone number to any unknown/untrusted person for comfort of a few seconds? Have you thought how much information he can gather about you by just using your phone number?
Hi everyone, this is Dheeraj Yadav, founder of OSINT Ambition, and in this blog, we will be learning about a feature, “Sync Contacts” that is widely adopted by most of the social media apps.
I believe that all the readers of this blog are familiar with popular social media apps like Instagram, Facebook, Discord, Telegram, etc.
Sync Contacts is a very useful in general. It helps you in finding the profiles/accounts of your friends/families and other known ones easily and helps you in staying connected with them. But as the law of universe, everything has its own advantages and disadvantages, this feature also has it’s own disadvantages. While it offers you the feasibility to stay connected with your loved ones, it also a pose a risk of stalking.
Every app has its own name for this feature, like Discord calls it Find Your Friends, Instagram calls it Sync Contacts, some other apps calls it Find your contacts.
Understanding the Working
When we create an account on social media apps, once you are done with the signup process, they give you an option to sync your contacts so that you can easily find accounts of your friends and family.
When you enable this feature, it asks you for the permission to see all the contacts saved in your phone. Once you allow for the permission, it copies all the phone number saved in your phone and sends it to their server. Some apps even copies the name too along with the phone number by which you have saved in your phone.
Once this data reaches the server of these apps, then they can check if these numbers are connected to any account on their platform, if they found your contacts registered on their platform, they will do one of the following -
- In some cases, they directly show you the list of all contacts along with their name and pic and other data.
e.g. — Snapchat, i used to be a user of snapchat a few months back when i was enjoying my college life. I remember, at that time, they used to have feature of find your friends, and i have synced my contacts, so it used to show me list of all the accounts of my friends and family whose number were saved in my phone. - Some other apps, suggests you the profiles of these contacts in the form of accounts you may know or suggestions.
e.g. — Instagram, i remember when i was using Instagram, it used to show me the button to sync contacts. Eearlier, i guess till 2021, it used to directly show you the profiles of your contacts directly but then they changed their feature and now they show you the profiles in the form of suggestions, so it became a little difficult to find account of any person using their phone number. - While in some other apps, which cares about their user’s privacy, they check if those contacts have allowed their account’s to be discovered by sync contacts feature or via phone number.
e.g. — Telegram, it gives you an option in setting using which you can decide if you want yourself to be discovered by others, if yes, they by whom? Anyone or your contacts or by none.
Every app has its own working and policies for this feature, while some apps like Telegram and Discord gives its users the ability to decide if they want to be found by other (using sync contacts or via any other method if exits), their are many other apps which just don’t care about user’s consent and let anyone find them by using their phone number.
Now. let’s make a list of apps along with their use cases to understand and utilize this feature for OSINT.
List of Apps
- Facebook — the oldest and the most widely adopted social media platform
Opinion — It’s old and people now don’t use it anymore but majority of the people who were earlier using it has still their account active. So, you should try if your target exists on Facebook via abusing Facebook account recovery page and if yes, try to find his profile via sync contacts. - Instagram — If your target is social media addicted, then for sure, he will be having an Instagram. It is widely adopted and people of age between 15 to 25 mostly reveal a lot of their personal information including their DOB, address and other sensitive information. You must give it a try for every target.
- LinkedIn — If your target is a college student or working professional, it’s expected that he/she would be having a LinkedIn account and the amount of information you can get from this platform is insane. It’s a goldmine of Data in most of the cases.
- Telegram — I suggest to always check your target if he’s a user of Telegram. It’s a widely adopted platform and most people don’t customize their setting, so you can easily find them and in most of the cases, you will found their real name, and other cool info leaked on this platform, expected you have a good knowledge of Telegram OSINT.
- Snapchat — If your target is a girl or a boy who is obsessed with selfies(showoff), then he/she must be having a snapchat account. You can easily found out if he’s a user of snapchat by observing his account on other platforms. Also, finding profile of a user by phone number is easies on Snapchat as per my opinion.
- Tiktok — If your target has a craze of making short content or some kind of short videos, then it’s expected he must have used Tiktok once. It’s banned in India from 2021, so i don’t have any idea about it’s features and working, but you must give it a try.
- Discord — If your friend loves chatting in group, then it’s expected he’s user of Discord, also, most of the hacker/cybersecurity/gamers people have a discord account, so if your target have interest in this, then must try this out.
- Twitter/X — An app that needs no introduction. This app also has a sync contacts feature, i haven’t tried it yet, so no comments on it, but you should try this.
- Payment Apps — Payment Apps/Website also has this feature and i believe this is the most trusted platform using which you can find out the name, and bank information of your target. Of course, it can be a sock puppet on this platform too, but chances are least for these. It’s the first thing that i do when i have phone number as a lead to check for it on payment apps like Payment, PayPal, Gpay, Amazon Pay, etc. If you get positive results from this, and if you doing OSINT for some law enforcement, it will be easy for you to get further information from the bank itself if you don’t get lead from any other source.
Some other platforms that i am aware of and have this feature are listed below -
Poshmark: Buy and sell fashion, home decor, beauty & more
Cash App — Do more with your money
Tinder | Dating, Make Friends & Meet New People
Duolingo — The world’s best way to learn a language
Calorie Tracker & BMR Calculator to Reach Your Goals | MyFitnessPal
VSCO Photo & Video Editor — Desktop & Mobile App
Note — The credit of collecting these above listed website goes to the twitter user with username, @UndeadSec , thanks to him for saving my time.
If you know of any other app/website, then let us know in comments of this blog and i will add those here.
Note — Never use your primary number or account when trying to find a target’s profile by abusing sync contact feature.
Don’t forget to follow me or our official account on Twitter.
@Dheerajydv19 | @osintambition
Subscribe to our YouTube Channel for seeing our awesome videos on privacy, security and OSINT.
