WhatsApp and Signal: Privacy vulnerable, tracker software available

The messengers WhatsApp and Signal reveal a lot about users through the runtimes of message confirmations. A proof-of-concept implementation highlights the problem and allows user profiles to be created from this meta-information. However, limited mitigation is possible.

Based on a research paper from the University of Vienna (first presented in November 2024), a proof-of-concept (PoC) implementation named “WhatsApp-Device-Activity-Tracker” is now available on GitHub. It abuses the read receipts that messengers like Signal or WhatsApp send in response to messages. By measuring the runtimes, conclusions can be drawn about the users. The PoC uses carefully crafted messages that trigger such read receipts without users noticing.

Measuring the so-called round-trip time (RTT) of WhatsApp read receipts allows to determine when users are actively using their device, when it is in standby or idle mode, possible location changes based on mobile data or Wi-Fi, and finally, over time, the creation and detection of activity patterns. This represents a potentially profound intrusion into privacy and can be misused for surveillance, conclude the developers of the PoC.

Proof-of-concept for WhatsApp – and possible protection

The proof-of-concept performs these attacks for WhatsApp. It implements two probing methods: one sends a delete request for a non-existent message ID, the other sends a reaction emoji for a non-existent message ID. The PoC measures the time between sending the message and receiving the ACK message from the client (Acknowledge, i.e., the “confirmation” from the victim). The device status is calculated by the software based on the deviation from the round-trip time median – below 90 percent of the median, indicates active device usage. The tool creates a history, thereby continuously adjusting the median and thus considering changed network environments.

WhatsApp has a configuration option that allows users to protect themselves at least to some extent from such attacks. In WhatsApp, they need to select the icon with the three stacked dots in the top right corner and tap on “Settings.” Then, go to “Privacy” further down to “Advanced.” Enabling “Block messages from unknown accounts” causes WhatsApp to block “messages from unknown accounts” “if they exceed a certain number.” However, since there is no indication of how high this number of messages is, this does not provide comprehensive protection. For Signal, they do not mention any setting that could provide a remedy.

In the GitHub project the Signal developers suggest a solution, though. „For people who want to restrict delivery receipts, Signal already supports disabling phone number discoverability (Settings > Privacy > Phone Number > Who Can Find Me By Number). With this setting enabled, you can choose a random alphanumeric username and no one will be able to send you any messages (delivery receipts or otherwise) unless you share that username with them.“

The authors explicitly point out that disabling read receipts for conventional messages helps but does not protect against this specific attack. “As of December 2025, this vulnerability in WhatsApp and Signal remains exploitable,” they state. This puts WhatsApp and Signal under obligation to quickly release an update that prevents these attacks.

We have inquired with both Signal and WhatsApp whether and when the organizations intend to solve the problem. From WhatsApp, we immediately received an AI-generated response that did not mention a timeframe or any statement about possible solutions. The response to the number of messages until the security feature blocks further requests also remains unspecific: This depends “on various factors, such as the type of messages and the attacker's behavior. We cannot give you a specific number, as it can vary from case to case.”

Fundamentally, WhatsApp is working on improving privacy. At the end of April, for example, the developers presented the “Advanced Chat Privacy” feature.

(dmk)