nemozone

Recent research has unveiled significant vulnerabilities in two of the most popular messaging applications, WhatsApp and Signal, which could lead to serious privacy violations for their users. Conducted by a team from the University of Vienna, this study highlights how these vulnerabilities can be exploited to extract sensitive information and potentially launch resource depletion attacks.

Key Findings from the Study

Unintended Data Exposure

One of the most alarming discoveries is that delivery receipts—notifications confirming message delivery—can inadvertently expose a wealth of information about users. This includes: – The number of devices a user operates. – The operating systems in use. – Activity states such as whether the screen is on or off.

Such data can enable adversaries to monitor app usage patterns, infer behavioral habits, and even track users' locations without their knowledge.

Stealthy Tracking Mechanisms

The study identifies a troubling method by which attackers can covertly track users. By sending reactions to non-existent messages, they can trigger delivery receipts without alerting the victim. This allows individuals outside the user's contact list to monitor their behavior discreetly.

Resource Exhaustion Attacks

Beyond privacy concerns, attackers can exploit these vulnerabilities for denial-of-service (DoS) attacks. For example, they could inflate data usage on WhatsApp to an astonishing 13.3 GB per hour, leading to rapid battery depletion and increased data costs for victims.

Platform Vulnerabilities

While both WhatsApp and Signal are significantly affected by these issues, the study notes that Threema's architecture offers better resistance against such attacks, limiting the potential for stealthy probes and multi-device leaks.

Proposed Defense Strategies

To combat these vulnerabilities, the researchers suggest several countermeasures: – Strengthen client-side checks: Enhance mechanisms to reject invalid or irrelevant messages. – Restrict message frequencies: Mitigate resource exhaustion attacks by limiting how often messages can be sent. – User control over delivery receipts: Allow users to disable delivery receipts entirely for improved privacy. – Synchronized receipt issuance: Implement synchronized multi-device receipt notifications to minimize leakage. – Artificial delays: Introduce delays in acknowledgment timings to counteract tracking efforts.

Conclusion

This study serves as a crucial reminder of the delicate balance between usability and security in encrypted messaging platforms. Developers must prioritize refining delivery receipt mechanisms and integrating privacy-by-default principles to protect user data against emerging threats. While users have limited options to mitigate these risks, remaining vigilant and utilizing available privacy settings is essential for safeguarding personal information in an increasingly interconnected world.

Citations: [1] https://cyberinsider.com/exploiting-privacy-leaks-in-signal-and-whatsapp-messaging-apps/