KakaoTalk, a mobile messaging application used by almost the entire population of South Korea, has been wrapped up in a massive controversy over personal data breaches. Its open chat rooms, which are supposed to protect the anonymity of participants, allegedly leak breadcrumbs out of users’ private information, providing malicious actors with opportunities to identify users and exploit the data for fraudulent activities.
On March 12, a vendor appeared on several marketing websites and social media channels, claiming in their advertisements that they can extract databases from open chat rooms operating on KakaoTalk. The databases will include the real names and phone numbers of the members of open chat rooms once a request is received, the vendor insisted. They further promoted sales, saying that they filter ghost accounts and foreign numbers as well as offering free tests for first-time buyers.
Open chat is a service that allows users to share their thoughts and information without revealing their identities. It does not require users to exchange phone numbers or IDs to join an open chat, bringing like-minded people into each room based on invitation links from existing members. Over the last few years, open chat has gained popularity especially among marketers. KakaoTalk itself has 48 million monthly active users as of the third quarter of last year. The entire population of South Korea is around 52 million.
This issue first rose to the surface when The Electronic Times broke the exclusive story on Sunday. Soon after, multiple local media outlets followed the initial reporting, elevating security concerns surrounding KakaoTalk and its open chat. According to the reports, the databases have been sold via underground markets for much higher prices than what is usual for such illicit data extraction. The Telegram channel that the advertisement was uploaded onto is still alive, The Readable confirmed on Tuesday.
Cybersecurity experts believe that the vendor exploits security vulnerabilities of Loco protocol. In 2011, Kakao Corporation developed Loco protocol in response to the heavily increased traffic rushing onto its messaging platform. While the company succeeded in loosening up the traffic, they left security holes, creating the possibility of unauthorized access to sensitive data through reverse engineering. Abusers, including the recent advertiser, were able to collect unique ID numbers of the members in open chat rooms after they disguised fake clients which were made through reverse engineering. Then, they put the numbers together with users’ actual profiles.
Kakao Corporation had reportedly acknowledged this problem before it became publicly known, yet they did not report the issue to law enforcement due to a failure of judgement in which they concluded that user nicknames in open chat rooms were not personal information. The company told the local press that they took action to prevent ID number extraction from open chat.
Dasom Kim contributed to this reporting.