Most popular messaging app in Korea faces controversy over security

By Dain Oh, The Readable
Mar. 14, 2023 5:44PM GMT+9

KakaoTalk, a mobile  messaging application used by almost the entire population of South Korea, has been wrapped up in a massive controversy over personal data breaches. Its open chat rooms, which are supposed to protect the anonymity of participants, allegedly leak breadcrumbs out of users’ private information, providing malicious actors with opportunities to identify users and exploit the data for fraudulent activities.

On March 12, a vendor appeared on several marketing websites and social media channels, claiming in their advertisements that they can extract databases from open chat rooms operating on KakaoTalk. The databases will include the real names and phone numbers of the members of open chat rooms once a request is received, the vendor insisted. They further promoted sales, saying that they filter ghost accounts and foreign numbers as well as offering free tests for first-time buyers.

Open chat is a service that allows users to share their thoughts and information without revealing their identities. It does not require users to exchange phone numbers or IDs to join an open chat, bringing like-minded people into each room based on invitation links from existing members. Over the last few years, open chat has gained popularity especially among marketers. KakaoTalk itself has 48 million monthly active users as of the third quarter of last year. The entire population of South Korea is around 52 million.

A vendor’s advertisement uploaded onto a Telegram channel. They claimed that they can extract databases from open chat rooms operating on KakaoTalk. Source: The Readable

This issue first rose to the surface when The Electronic Times broke the exclusive story on Sunday. Soon after, multiple local media outlets followed the initial reporting, elevating security concerns surrounding KakaoTalk and its open chat. According to the reports, the databases have been sold via underground markets for much higher prices than what is usual for such illicit data extraction. The Telegram channel that the advertisement was uploaded onto is still alive, The Readable confirmed on Tuesday.

Cybersecurity experts believe that the vendor exploits security vulnerabilities of Loco protocol. In 2011, Kakao Corporation developed Loco protocol in response to the heavily increased traffic rushing onto its messaging platform. While the company succeeded in loosening up the traffic, they left security holes, creating the possibility of unauthorized access to sensitive data through reverse engineering. Abusers, including the recent advertiser, were able to collect unique ID numbers of the members in open chat rooms after they disguised fake clients which were made through reverse engineering. Then, they put the numbers together with users’ actual profiles.

Kakao Corporation had reportedly acknowledged this problem before it became publicly known, yet they did not report the issue to law enforcement due to a failure of judgement in which they concluded that user nicknames in open chat rooms were not personal information. The company told the local press that they took action to prevent ID number extraction from open chat.

Dasom Kim contributed to this reporting.
The cover image of this article was designed by Sangseon Kim.

Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.