Recent research has uncovered a potential privacy nightmare for users of popular messaging apps like WhatsApp and Signal. The study, conducted by the University of Vienna, highlights how seemingly harmless features such as reactions and delivery receipts can be exploited to track a user's daily activities. This vulnerability requires nothing more than a victim's phone number, making it a significant concern for many.
Uncovering the Exploitation Mechanism
When a message is sent via WhatsApp or Signal, delivery receipts indicate when the message is received. By analyzing the timing of these receipts, attackers can infer the state of the recipient’s phone—whether it's locked, unlocked, or if the app is actively in use. This is achieved through spam reactions that don’t trigger notifications but still generate delivery receipts, allowing the attack to remain undetected.
Mapping Daily Activities
Beyond just phone states, attackers can also differentiate between device brands and determine whether the victim is on Wi-Fi or cellular networks. This can lead to a detailed timeline of someone’s daily routine, revealing when they leave home, arrive at work, or even when they are on a call. Such information can be invaluable for malicious actors seeking to map personal habits and movements.
The Broader Implications
Moreover, the lack of rate limiting on WhatsApp allows attackers to spam reactions at an alarming rate, potentially inflating phone bills and draining battery life without the user’s knowledge. This is less of a concern on Signal due to its rate limiting, but the vulnerability still poses a significant privacy threat. The findings highlight the urgent need for these platforms to address such vulnerabilities to protect user privacy.