Weak security in WhatsApp and Signal allows low-skill attackers to track users

Tracking WhatsApp (symbolic image created with Stable Diffusion)

Researchers at the University of Vienna have uncovered vulnerabilities within WhatsApp and Signal that allow undetectable user tracking through round-trip time (RTT) measurements. A simple program now available on GitHub demonstrates how easily this weakness can be exploited.

Marc Herter (translated by Marc Herter), Published 12/11/2025 🇩🇪

A group of researchers from the University of Vienna has found a small but serious security hole in the way end-to-end encrypted (E2EE) messaging services work. The study, initially published on November 17, 2024, under the title "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers," highlights the possibility of tracking devices using Round-Trip Time (RTT) data when WhatsApp or Signal are installed.

A program has now been released on GitHub that can automatically exploit this vulnerability in WhatsApp. While the provision of such a tool raises ethical concerns, its purpose is intended to pressure WhatsApp into addressing the security gap and improving user privacy protections.

It turns out the basic idea behind that program is surprisingly simple. The tracker sends reaction messages to non-existent message IDs. The target device still replies with a delivery receipt. This reaction, invisible to the user, reveals the time required to send and receive the manipulated request—the RTT.

While these data points alone do not reveal an immediate location, they can provide valuable insights when collected over extended periods. Patterns within the RTT data can indicate when a device is actively in use or in standby mode. A network connection type, such as Wi-Fi or cellular, may also be deduced. By analyzing these activity patterns over hours or days, attackers could draw conclusions about user behavior. Furthermore, the constant requests consume battery life and mobile data on the affected smartphone.

Currently, users have limited options to defend against this tracking method. There are no notifications on smartphones alerting users to such monitoring. The attacker's phone number cannot be obtained, making blocking it impossible. Neither Signal nor WhatsApp currently offer an option to disable delivery receipts. A drastic solution is the only option at this time. Removal of all impacted end-to-end encrypted messaging services from your device.

Quelle(n)

Device Activity Tracker by gommzystudio on GitHub

Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers via Arxiv

Loading Comments

Comment on this article

Gigabyte to start manufacturing mot...

FEVM intros new 1 liter mini PC wit...

Editor of the original article: Marc Herter - Managing Editor Consumer Laptops - 437 articles published on Notebookcheck since 2021

From an early age I liked to thoroughly examine all kinds of devices to see how they worked, which also involved taking my own devices apart and therefore not always to the delight of my parents. Nevertheless, with my grandfather’s support, I became a computer and electronics tinkerer. With the family PC and Lego Mindstorms, my interested in software and programming took off, and I am currently an engineering program student. I enjoy building all sorts of gadgets with Arduino and 3D printers, and I still like to put electronic devices through their paces. By joining the Notebookcheck editorial team, I have been able to turn my hobby into a profession.

contact me via: Facebook, marc_i_may

Please share our article, every link counts!