Hackers Exploit Delivery Receipts in Messengers to Steal Private User Data

Security researchers from the University of Vienna have uncovered a sophisticated attack technique that exploits delivery receipts in popular instant messaging applications to extract sensitive user information without triggering any notifications.

The vulnerability, detailed in a paper titled “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers,” demonstrates how attackers can monitor billions of users across multiple devices by simply knowing their phone number.

The Silent Probing Mechanism

The research reveals that WhatsApp and Signal allow attackers to craft specially designed messages that trigger delivery receipts while remaining entirely invisible to victims.

Unlike traditional message-based probing that generates visible notifications, these “silent delivery receipts” enable continuous, high-frequency monitoring without alerting the target.

The attack leverages message reactions, edits, and deletions that trigger delivery confirmations but generate minimal or no user notifications.

By analyzing the timing of these receipt acknowledgments, attackers can systematically extract private behavioral data in real time.

The vulnerability affects an estimated 3 billion WhatsApp users and approximately 136 million Signal users globally.

Researchers emphasize that this represents a fundamental design flaw in how modern end-to-end encrypted messaging protocols handle delivery confirmations.

While previous research demonstrated that delivery receipt timing could reveal approximate user locations at a country level, the new attack achieves unprecedented precision and stealth, enabling monitoring down to second-level granularity.

The research demonstrates that attackers can identify the exact number of devices a user operates, including smartphones, tablets, and desktop/web clients, by analyzing the multi-device delivery receipt architecture.

Each device responds independently with its own confirmation, allowing adversaries to track when users switch between devices or when devices come online and offline.

This enables attackers to infer daily routines, sleep schedules, work commute patterns, and office presence by simply observing which devices respond to which prompts.

Beyond device tracking, the timing patterns in delivery receipts leak granular behavioral information.

By measuring variations in response times, attackers can differentiate between active and inactive device states, determine whether a phone’s screen is currently on or off, and even identify whether the target is actively using a messaging application.

Researchers successfully demonstrated that delivery receipt timing changes when users actively engage with WhatsApp, resulting in approximately 300 milliseconds of response time when the app is in the foreground, versus much slower responses when minimized.

This allows attackers to calculate precise screen-time metrics and estimate engagement duration for specific applications.

Beyond privacy extraction, the vulnerability enables offensive resource exhaustion attacks.

Researchers demonstrated that attackers can drain a victim’s battery by 14-18 percent per hour on iPhones and approximately 15 percent on Android devices by flooding targets with high-frequency, large-payload delivery receipts.

A single attacker can generate 3.7 megabytes per second of data traffic, equivalent to 13.3 gigabytes per hour, completely silently.

This allows malicious actors to rapidly exhaust victims’ data quotas or deplete battery reserves without generating any warning notifications.

The attack requirements remain remarkably minimal. Researchers purchased a prepaid SIM card and used a basic burner phone to demonstrate how any user can be targeted as a “spooky stranger” (an attacker with no prior relationship to the victim) simply by knowing a phone number.

This eliminates previous attack limitations that required established conversations or contact relationships.

Government officials, celebrities, corporate executives, and any individual with a publicly accessible phone number become potential targets for covert surveillance.

The research identifies significant implementation inconsistencies across different operating systems and device manufacturers.

WhatsApp and Signal handle delivery receipts differently on iOS, Android, Windows, macOS, and web platforms.

These behavioral variations allow attackers to fingerprint victims’ operating systems and even infer which specific device models are in use based on timing characteristics.

The diversity of Android manufacturers creates additional fingerprinting opportunities, as timing patterns vary significantly across Samsung, Qualcomm-based, and MediaTek-powered devices.

Researchers disclosed their findings to Meta (WhatsApp’s parent company) and the Signal Technology Foundation on September 5, 2024.

As of November 2024, over fourteen months later, Meta acknowledged receipt but provided no substantive response, while Signal has not responded at all.

The only confirmed remediation was Firefox’s resolution of a specific activity leakage issue. This extended inaction leaves billions of users vulnerable despite the severity of the disclosed attacks.

The vulnerability is particularly significant for sensitive populations. U.S. Senate staff, European Commission personnel, and multiple senior government officials rely on Signal for classified communications.

Recent media reports indicate that high-ranking U.S. officials, including defense department leadership, use both WhatsApp and Signal for sensitive discussions, with some individuals’ phone numbers publicly accessible online.

The attack’s stealth nature means targets remain entirely unaware of surveillance.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Hackers Exploit Delivery Receipts in Messengers to Steal Private User Data appeared first on Cyber Security News.