A critical security vulnerability has been discovered affecting billions of WhatsApp and Signal users worldwide.
Researchers found that hackers can exploit delivery receipts to secretly monitor user activity, track daily routines, and drain battery life, all without leaving any visible trace.
The attack, called “Careless Whisper,” uses the delivery receipt feature that confirms when messages reach their destination.
Attackers craft special messages that trigger silent delivery receipts, leaving no notification on the victim’s device, enabling continuous monitoring without detection.
How the Attack Works
The vulnerability exploits message reactions, edits, and deletions. On WhatsApp and Signal, users can react to messages with emojis or edit message actions that generate delivery receipts without notifying targets.
By repeatedly sending these invisible messages, attackers analyze response times to extract sensitive information.
Most alarming: attackers only need a victim’s phone number. They don’t need access to the contact list or to existing conversations. This means virtually any of the 3 billion WhatsApp users could become targets.
Security researchers demonstrated that attackers can extract detailed information about victims.
Device Monitoring reveals every device a person uses and when each is active or offline, potentially exposing work locations and home addresses.
Screen Time Tracking works by analyzing response patterns to determine whether a phone’s screen is on or off, effectively mapping sleep schedules and daily routines with second-level precision.
Attackers can detect whether the messaging app is open and in active use, and identify specific phone models and operating systems through response time differences.
Researchers proved that attackers can drain iPhone batteries by 14-18 percent per hour and generate massive, undetected, unwanted data traffic.
Users have virtually no protection. Delivery receipts cannot be turned off in either application’s settings. The attacks generate no notifications, require no existing relationship with victims, and cannot be effectively blocked.
The research impacts high-profile targets. U.S. Senate staff, European Commission officials, and Department of Defense personnel rely on these apps for sensitive communications. Since many government officials’ phone numbers are public, they’re especially vulnerable.
According to Arxiv, researchers disclosed findings to Meta and Signal in September 2024, but meaningful responses remain absent.
The security community urges both companies to restrict delivery receipts to known contacts and implement stricter server-side rate limiting. Until then, billions of users remain exposed to this invisible threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.