The first and most relevant "privacy hacking" based on images (avatars).
October 2017 by Patrick LEBRETON
Federico Ziberna and Claudio Cavalera, independent Italian researchers, have conceived and described a completely new kind of privacy breach, based on avatars. This type of violation may involve most users of the popular Instant Messaging apps: Whatsapp and Viber.
Ziberna developed a system that allowed him to freely download an unlimited amount of avatars linked to as many accounts as users of famous Instant Messaging systems. Using the User’s Avatar as a “Search Key” (possibly combined with other data automatically extracted from the image thanks to facial recognition algorithms, such as ethnicity, age, gender, etc), it was possible to compare the avatar with other freely images in the network or on other accounts, in order to find a match.
This fact therefore allows you to have a chance to connect any unknown person’s phone number to a real person, thanks to the avatar.
“Imagine this scenario: we have an archive of millions of photos. Most of these have the face of a person. Do you remember the old movies in which the police are looking for a criminal by comparing his picture with those contained in their file? ..nowiseeyou has the advantage that on every photo of its archive there is attached the card with the criminal phone number ..”
Among the different types of hacks described (for pure study), Ziberna describes the so nicknamed "voodoo doll exploit": the striker makes a photo to any person, and the attack tool verifies whether the "doll" is comparable to one of the downloaded avatars and hence eventually traced back to the phone number of the person photographed.