Hackers Exploit Delivery Receipts in Messaging Apps to Steal Users’ Private Information
A severe security flaw has been uncovered, putting billions of WhatsApp and Signal users worldwide at risk of being secretly monitored.
According to researchers, hackers can exploit the delivery receipt feature to track users’ daily routines, monitor their activity, and drain their battery life without leaving any visible signs of the attack.
The “Careless Whisper” attack utilizes the delivery receipt feature, which confirms when messages are delivered to the recipient, to carry out its malicious activities.
By crafting special messages that trigger silent delivery receipts, attackers can monitor their targets without being detected, as these messages do not trigger any notifications on the victim’s device.
Understanding the Attack Mechanism
The vulnerability takes advantage of message reactions, edits, and deletions on WhatsApp and Signal. Users can react to messages with emojis or edit message actions, generating delivery receipts without notifying the target.
Attackers can repeatedly send these invisible messages, analyzing response times to extract sensitive information about their targets.
What’s more alarming is that attackers only need a victim’s phone number to carry out the attack. They do not require access to the contact list or any existing conversations, making virtually any of the 3 billion WhatsApp users a potential target.
Security researchers have demonstrated that attackers can extract detailed information about their victims, including their device usage patterns.
Device monitoring can reveal every device a person uses, as well as when each device is active or offline, potentially exposing work locations and home addresses.
Screen time tracking works by analyzing response patterns to determine whether a phone’s screen is on or off, effectively mapping sleep schedules and daily routines with high precision.
Attackers can also detect whether the messaging app is open and in active use, identify specific phone models and operating systems, and even drain iPhone batteries by 14-18 percent per hour, generating massive, undetected data traffic.
Unfortunately, users have virtually no protection against this attack, as delivery receipts cannot be turned off in either application’s settings. The attacks generate no notifications, require no existing relationship with victims, and cannot be effectively blocked.
The research has significant implications for high-profile targets, including U.S. Senate staff, European Commission officials, and Department of Defense personnel, who rely on these apps for sensitive communications. Since many government officials’ phone numbers are public, they are especially vulnerable to this attack.
According to a report published on Arxiv, researchers disclosed their findings to Meta and Signal in September 2024, but the companies have yet to respond meaningfully.
The security community is urging both companies to restrict delivery receipts to known contacts and implement stricter server-side rate limiting to prevent this attack. Until then, billions of users remain exposed to this invisible threat.