Exploring the security and privacy risks of chatbots in messaging services

Edu, Jide and Mulligan, Cliona and Pierazzi, Fabio and Polakis, Jason and Suarez-Tangil, Guillermo and Such, Jose; (2022) Exploring the security and privacy risks of chatbots in messaging services. In: IMC 2022 - Proceedings of the 2022 ACM Internet Measurement Conference. Association for Computing Machinery, FRA, pp. 581-588. ISBN 9781450392594 (https://doi.org/10.1145/3517745.3561433)

[thumbnail of Edu-etal-ACM-IMC-2022-Exploring-the-security-and-privacy-risks-of-chatbots]
Text. Filename: Edu_etal_ACM_IMC_2022_Exploring_the_security_and_privacy_risks_of_chatbots.pdf
Accepted Author Manuscript
License: Strathprints license 1.0

Download (1MB)| Preview


The unprecedented adoption of messaging platforms for work and recreation has made it an attractive target for malicious actors. In this context, third-party apps (so-called chatbots) offer a variety of attractive functionalities that support the experience in large channels. Unfortunately, under the current permission and deployment models, chatbots in messaging systems could steal information from channels without the victim’s awareness. In this paper, we propose a methodology that incorporates static and dynamic analysis for automatically assessing security and privacy issues in messaging platform chatbots. We also provide preliminary findings from the popular Discord platform that highlight the risks that chatbots pose to users. Unlike other popular platforms like Slack or MS Teams, Discord does not implement user-permission checks—a task entrusted to third-party developers. Among others, we find that 55% of chatbots from a leading Discord repository request the “administrator” permission, and only 4.35% of chatbots with permissions actually provide a privacy policy.