A majority of the global population relies on mobile instant messengers for personal and professional communication. Besides plain messaging, many services implement convenience features, such as delivery- and read receipts, informing a user when a message has successfully reached its target. Furthermore, they have widely adopted security and privacy improvements, such as end-to-end encryption. In this paper, we show that even when messages are sufficiently encrypted, private information about a user and their devices can still be extracted by an adversary. Using specifically crafted messages that stealthily trigger delivery receipts allows arbitrary users to be pinged without their knowledge or consent. We demonstrate how an attacker could extract private information, such as the number of user devices, their operating system, and their online- and activity status. Moreover, we show the feasibility of resource exhaustion attacks draining a user's battery or data allowance. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal), we show that over two billion customers can be targeted simply by knowing their phone number.
View on arXiv@article{gegenhuber2025_2411.11194,
title={ Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers },
author={ Gabriel K. Gegenhuber and Maximilian Günther and Markus Maier and Aljosha Judmayer and Florian Holzbauer and Philipp É. Frenzel and Johanna Ullrich },
journal={arXiv preprint arXiv:2411.11194},
year={ 2025 }
}