Security researchers have exposed a critical privacy flaw dubbed “Careless Whisper” that lets attackers monitor user activity on WhatsApp and Signal through silent delivery receipts, without alerting victims or needing prior contact.
By crafting stealthy messages like reactions to nonexistent content or timed-out edits, adversaries trigger round-trip time (RTT) responses revealing device states, all exploitable with just a phone number.
This affects over three billion WhatsApp users and millions on Signal, enabling routine tracking or battery drain.
Attackers send invisible actions, self-reactions, reaction removals, or invalid deletions that prompt individual delivery receipts from each target device, even without ongoing chats.
These receipts expose RTT variations: roughly one second for screen-on states, two seconds when off, and 300 milliseconds if the app runs in foreground on iPhones.
High-frequency pings, up to sub-second on WhatsApp, amplify precision without notifications, unlike prior overt methods, which are limited by alerts.
Multi-device setups worsen leakage, as companion clients (web, desktop) respond separately, making it harder to detect online status shifts like desktop boot-ups signaling office arrival, reads the report.
In real-world tests, researchers tracked a Xiaomi phone’s Wi-Fi/LTE switches, calls, and laptop syncs across networks.
| Messenger | Stealthy from Stranger | Multi-Device Probing | Threema Comparison |
|---|---|---|---|
| Yes | Independent receipts | Restrictive, single receipt | |
| Signal | Yes | Independent receipts | No spooky stranger probing |
| Threema | No | Synchronized receipts | N/A |
RTT patterns fingerprint OSes via receipt ordering, separate on Android/iOS WhatsApp, stacked reversed on macOS, while jitter distinguishes chipsets like Qualcomm versus Exynos.
Attackers infer schedules, screen time, or app usage, escalating from country-level geolocation in past work to second-granularity behavior.
Offensively, oversized reactions (1MB payloads) force 3.7MB/second traffic, 13GB/hour silently inflating data bills or draining batteries 14-18% hourly on iPhones/Samsungs. No rate limits curb sustained blasts.
Reported September 2024, Meta confirmed triage but issued no patch after 14 months; Signal ignored findings.
Researchers urge restricting receipts to contacts, adding RTT noise, client validation of message IDs, and server rate limits. Users can limit unknown messages in privacy settings as an interim defense.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
