WhatsApp Signal Privacy Vulnerability: Silent Tracking Attack Exposed (2026)
Note on technical designation: This vulnerability, dubbed “Careless Whisper” by the research team, does not yet have an official CVE (Common Vulnerabilities and Exposures) designation as of January 2026. However, it is formally documented under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The peer-reviewed research was published via ArXiv (2411.11194v4) in 2024, with public proof-of-concept tools released in December 2025. The lack of CVE assignment reflects this is a design-level protocol issue rather than a patchable bug.
A newly revealed WhatsApp Signal privacy vulnerability demonstrates that encrypted messaging apps are leaking far more information than their three billion users realise. Academic research from the University of Vienna and SBA Research has uncovered a delivery receipt timing attack that allows silent profiling of user activity without triggering a single notification or breaking end-to-end encryption.
Unlike traditional message interception tactics, this WhatsApp Signal privacy vulnerability exploits the metadata flowing beneath encrypted conversations. Attackers can now build detailed activity profiles by sending invisible reactions to non-existent messages and measuring how quickly delivery receipts return.
What Is the Delivery Receipt Timing Attack?
The vulnerability, academically documented as “Careless Whisper,” works through elegant simplicity. Attackers send high-frequency message reactions to invalid message IDs. These reactions never appear in your chat history, yet WhatsApp and Signal still issue delivery receipts in response. By measuring the round-trip time of these acknowledgements, attackers infer your device state: whether your screen is active, whether you’re connected to Wi-Fi or mobile data, or if you’re completely offline.
The brutal reality? A public proof-of-concept tool called Device Activity Tracker has weaponised this academic research. Released on GitHub by developer gommzystudio, the tool requires nothing more than a target’s phone number. No prior contact relationship needed. No conversation history required. The attack works against all WhatsApp and Signal users with discoverable numbers.
This alarming vulnerability exposes a critical flaw in the privacy of millions of users. With the Device Activity Tracker, attackers can effortlessly exploit this method, invading your privacy without you ever realising it. The implications are staggering: your device activity is laid bare for anyone with malicious intent, undermining the very foundation of secure communication. It’s time to demand robust protocol-level fixes and hold platforms accountable for ensuring user privacy in an increasingly hostile digital landscape.
How Deep Can This Activity Fingerprinting Go?
Testing by security researchers and independent analysts has documented disturbingly intimate behavioural profiling capabilities. Probing at intervals as frequent as 50 milliseconds, attackers can discern:
- Sleep and wake patterns based on device responsiveness cycles
- Active phone usage versus locked screen states
- Network transitions between Wi-Fi and cellular connections
- When linked devices like desktop clients come online
- Approximate geographic location through network latency correlation
The victim experiences no notification, no message indicator, no visible artefact. The WhatsApp Signal privacy vulnerability operates entirely in the background, detectable only through forensic examination or by noticing abnormal battery consumption.
This represents a fundamental shift in threat models for privacy-conscious users. Rather than targeting message content, sophisticated attackers now profile the metadata surrounding your communications.
The Resource Exhaustion Problem Nobody’s Discussing
High-frequency probing doesn’t come without cost to victims. Documented testing shows battery drain rates exceeding 14% per hour on phones subjected to constant surveillance probing. Mobile data consumption spikes alongside battery depletion, creating potential financial impact for users with capped data plans.
The attacker simultaneously deploys surveillance and resource exhaustion. Victims blame aging batteries or buggy applications whilst remaining completely unaware of ongoing profiling activity. This dual-impact attack vector makes the WhatsApp Signal privacy vulnerability particularly insidious for targeted surveillance campaigns.
Testing by researchers has documented battery drain rates exceeding 14 per cent
per hour…
Battery Drain Impact Summary
| Metric | Measurement | Impact |
|---|---|---|
| Battery drain (high frequency probing) | 14%+ per hour | Device unusable within 6-8 hours |
| Mobile data consumption | 20-50 MB per hour | Potential financial impact |
| Visibility to victim | Zero notifications | Complete stealth |
| Detection difficulty | Forensic analysis only | Users blame aging battery |
Source: University of Vienna Security Research Team, 2024
Why Platform Fixes Remain Incomplete
Both Meta (WhatsApp) and the Signal Foundation have known about this WhatsApp Signal privacy vulnerability since late 2024, yet neither has implemented complete protocol-level remediation. Signal deployed stricter rate limiting in their December 2025 update, providing partial protection but not eliminating the attack vector entirely. WhatsApp imposes no meaningful rate limits on delivery receipt generation, leaving the platform especially vulnerable to high-frequency tracking campaigns.
The delay stems from architectural constraints. Properly fixing this requires fundamental changes to how these platforms handle message acknowledgement. Complete remediation would likely require disabling certain delivery receipt types altogether or implementing breaking protocol changes that could degrade user experience.
Meta’s track record with privacy vulnerabilities remains mixed. Earlier in 2025, researchers documented that WhatsApp’s contact discovery API allowed enumeration of 3.5 billion active accounts through insufficient rate limiting, exposing phone numbers, encryption keys, and profile metadata at scale.
Related Security Research (Same Research Team)
The Careless Whisper vulnerability is part of a coordinated security initiative conducted by the University of Vienna and SBA Research:
1. Careless Whisper (This article)
– Analysis of delivery receipt timing
– RAID 2025 Best Paper Award
– ArXiv 2411.11194
2. Prekey Pogo (USENIX WOOT 2025)
– Weaknesses in the Signal Protocol handshake
– Currently undergoing patching
3. Contact Discovery Vulnerability (NDSS 2026)
– Account enumeration at scale for approximately 3.5 billion WhatsApp users
– Already addressed by Meta
Read SBA Research analysis
This multi-year research program illustrates that security issues in messaging applications are systemic design challenges rather than isolated flaws.by the University of Vienna and SBA Research:less Whisper (This article)
Immediate Protection Steps You Can Take
Whilst waiting for comprehensive platform fixes, users have limited but meaningful defensive options.
WhatsApp Privacy Settings
Enable “Block unknown messages” under Settings > Privacy > Advanced. This reduces attack surface from unknown actors, though WhatsApp provides no clarity on what constitutes “high volume” triggering blocks. Determined attackers operating at moderate probing frequencies may still circumvent this control.
Additional WhatsApp hardening:
- Restrict “Last Seen” visibility to contacts only
- Disable read receipts where acceptable for your communication patterns
- Hide profile photo from non-contacts
- Enable two-factor authentication to prevent account takeover
Signal Privacy Settings
Disable delivery receipts and typing indicators through Privacy Settings. Signal’s controls offer more granular protection than WhatsApp’s equivalents. Additionally, hide your phone number and restrict discoverability through Signal’s sealed sender features.
Signal-specific hardening:
- Enable “Sealed Sender” for maximum metadata protection
- Restrict who can find you by phone number
- Disable “Show calls in recents” on iOS
- Review and limit linked devices regularly
These measures reduce metadata emission but don’t eliminate the WhatsApp Signal privacy vulnerability entirely. The attack vector remains exploitable at the protocol level pending proper remediation from platform developers.
Layer VPN Protection for Network-Level Privacy
Beyond application-level controls, network privacy tools provide additional defence layers. A quality VPN service masks your IP address and network characteristics, making geographic profiling significantly harder even if delivery receipt timing leaks device state information.
Proton VPN offers Swiss-based privacy protection with a strict no-logs policy independently audited by third-party security researchers. Built by the same team behind Proton Mail, Proton’s ecosystem provides comprehensive communications privacy covering both messaging metadata and email security.
Proton VPN’s NetShield ad-blocker and malware protection add defensive layers against tracking attempts whilst browsing. The VPN’s Secure Core architecture routes traffic through privacy-friendly jurisdictions before exiting to your destination, providing protection even if exit servers face compromise.
For users facing sophisticated threat actors exploiting the WhatsApp Signal privacy vulnerability, combining application-level privacy controls with network-level VPN protection creates defence in depth. Neither layer provides absolute protection in isolation, but layered security significantly raises attacker costs.
The Metadata Surveillance Paradigm Shift
This WhatsApp Signal privacy vulnerability highlights a fundamental shift in how cyber attacks operate. Rather than attempting to break encryption or steal decryption keys, sophisticated adversaries now focus on metadata patterns. Delivery receipt timing, network behaviour, device state changes—these subtle signals, when aggregated, create behavioural fingerprints as revealing as message content itself.
The irony cuts deep: users who migrated from SMS to encrypted messaging for security reasons are discovering that encryption protects conversation content but not the conversation about the conversation. The platforms’ records of who communicated when, from where, and for how long remain visible to attackers exploiting protocol-level design assumptions.
This mirrors patterns emerging across cybersecurity and privacy tools. Technical solutions frequently protect specific attack vectors whilst leaving adjacent metadata streams exposed. Comprehensive privacy requires layered approaches addressing multiple threat vectors simultaneously.
Threat Model Considerations for High-Risk Users
If you communicate with sensitive sources, operate in hostile environments, or handle information making you a high-value surveillance target, the WhatsApp Signal privacy vulnerability requires immediate consideration in your personal security strategy.
High-profile journalists, activists, political dissidents, and officials face documented targeting through these techniques. Security alerts from CISA and allied cybersecurity agencies confirm state-sponsored threat actors actively exploit messaging metadata for surveillance and intelligence gathering.
For ordinary users, risk remains lower but real. Mass surveillance tools tend to democratise: once techniques are published with working proof-of-concept code, they eventually reach both opportunistic criminals and state-sponsored programmes. The Device Activity Tracker being publicly available compresses the timeline for widespread exploitation from theoretical to imminent.
Consider your actual threat model:
- Who might target you and why?
- What information do you handle that others find valuable?
- What consequences follow from your activity patterns being profiled?
- What defensive measures are proportionate to your actual risk?
Privacy isn’t binary. Understanding your realistic threat landscape helps you deploy proportionate defences without succumbing to paranoia or ignoring genuine risks.
What Makes This Attack Particularly Dangerous
Several factors compound the severity of this WhatsApp Signal privacy vulnerability:
Scale: The attack works against all WhatsApp and Signal users with discoverable phone numbers—potentially billions of targets globally.
Stealth: Victims receive no notification, no message indicator, no visible evidence of ongoing surveillance. Detection requires forensic examination or noticing secondary effects like battery drain.
Accessibility: Public proof-of-concept tools eliminate technical barriers. Anyone with moderate technical competency can deploy this attack with freely available software.
Protocol-level: The vulnerability exists in how these platforms handle delivery receipts at the protocol layer. Application-level security features don’t prevent exploitation.
Persistent: Even after applying available privacy controls, the underlying vulnerability remains exploitable pending platform fixes. Users can only reduce exposure, not eliminate it.
The convergence of these factors creates a surveillance tool accessible to a broad threat actor spectrum, from jealous partners to corporate espionage operations to state intelligence services.
When Will Proper Fixes Arrive?
Neither WhatsApp nor Signal has committed to specific timelines for comprehensive protocol-level remediation. Signal’s December 2025 rate limiting provides partial mitigation but doesn’t eliminate the attack vector. WhatsApp has acknowledged the issue but implemented no meaningful countermeasures as of January 2026.
The academic researchers who discovered and documented this WhatsApp Signal privacy vulnerability worked with both platforms through coordinated disclosure processes. Meta implemented partial fixes to the separate contact enumeration vulnerability but hasn’t addressed delivery receipt timing comprehensively. Signal deployed rate limiting but acknowledges determined attackers can still exploit the mechanism at reduced frequency.
Users should expect this issue to remain a concern throughout 2026 unless either platform implements breaking protocol changes affecting delivery receipt behaviour. The challenge: proper fixes likely degrade user experience by removing delivery confirmation features users expect from modern messaging applications.
Alternative Secure Messaging Options
For users whose threat models demand maximum metadata protection, alternative platforms offer different privacy tradeoffs. Session, based on the Oxen blockchain, routes messages through a decentralised onion network providing stronger metadata privacy than WhatsApp or Signal’s architectures allow.
Briar operates entirely peer-to-peer without central servers, making centralized metadata collection impossible by design. However, Briar’s usability lags mainstream messaging apps, limiting adoption outside high-security-requirement use cases.
These alternatives involve significant UX compromises. Most users will continue using WhatsApp and Signal despite known vulnerabilities, accepting privacy tradeoffs for convenience and network effects. Understanding these tradeoffs allows informed decisions rather than false security assumptions.
Frequently Asked Questions
Can someone track my WhatsApp activity without me knowing?
Yes. The delivery receipt timing attack allows silent activity profiling through invisible message reactions that never appear in your chat history. Attackers measure how quickly delivery receipts return to infer your device state, network connection type, and activity patterns. You’ll see no notifications during this surveillance.
What is a timing attack on messaging apps?
A timing attack measures how long operations take to complete, using time differences to infer information the application doesn’t explicitly reveal. In this WhatsApp Signal privacy vulnerability, attackers send invisible reactions and measure delivery receipt return times. Faster responses indicate active devices with network connectivity; delayed responses suggest offline or locked devices.
How to protect WhatsApp from privacy attacks in 2026?
Enable “Block unknown messages” under WhatsApp Settings > Privacy > Advanced. Restrict “Last Seen” visibility to contacts only. Disable read receipts where practical. Hide your profile photo from non-contacts. Enable two-factor authentication. Consider using Proton VPN to mask network-level metadata that timing attacks exploit.
Does Signal protect delivery receipt metadata?
Partially. Signal’s “Sealed Sender” feature provides stronger metadata protection than WhatsApp, but the delivery receipt timing attack still works against Signal users. Signal implemented rate limiting in December 2025 providing some protection, but determined attackers can still exploit the mechanism. Disable delivery receipts entirely in Signal’s privacy settings for maximum protection.
Is end-to-end encryption enough for privacy?
No. End-to-end encryption protects message content but not metadata. This WhatsApp Signal privacy vulnerability demonstrates attackers can profile your activity without ever breaking encryption by exploiting delivery receipt timing. Comprehensive privacy requires layered approaches: encrypted communications plus metadata protection plus network privacy through VPN services.
How to stop WhatsApp battery drain from tracking?
Battery drain from surveillance tracking is a symptom, not the root cause. Enable WhatsApp’s “Block unknown messages” feature to reduce attack surface. Monitor battery usage statistics for abnormal WhatsApp background activity. Consider disabling the app when not actively needed if you suspect targeting. Layer VPN protection to reduce network-level profiling effectiveness.
What are the best privacy settings for WhatsApp and Signal?
WhatsApp: Enable “Block unknown messages,” restrict “Last Seen” to contacts, disable read receipts, hide profile photo from non-contacts, enable two-factor authentication.
Signal: Enable “Sealed Sender,” disable delivery receipts and typing indicators, hide phone number, restrict discoverability, review linked devices regularly, enable registration lock.
Combine application settings with network privacy through trusted VPN services for layered protection.
Can WhatsApp or Signal fix this vulnerability?
Yes, but fixes require protocol-level changes that may degrade user experience. Proper remediation likely involves disabling or fundamentally redesigning how delivery receipts work. Signal’s December 2025 rate limiting provides partial protection. WhatsApp hasn’t implemented meaningful countermeasures as of January 2026. Users should expect this issue to persist through 2026 pending architectural redesigns.
Moving Forward with Realistic Privacy Expectations
The WhatsApp Signal privacy vulnerability serves as a stark reminder that privacy in digital communications requires constant vigilance and layered defences. No single tool or platform provides absolute protection. Effective privacy comes from understanding threat models, applying appropriate controls across multiple layers, and maintaining realistic expectations about what current technology can and cannot protect.
For most users, the practical steps outlined above—tightening application privacy settings, using quality VPN services like Proton VPN, and understanding metadata risks—provide proportionate protection against this threat. High-risk users may need to evaluate alternative platforms or accept more significant UX compromises for enhanced metadata privacy.
The security research community’s disclosure of this WhatsApp Signal privacy vulnerability through academic channels and coordinated disclosure processes demonstrates responsible approaches to surfacing systemic privacy issues. Users benefit when researchers, platforms, and the broader security community work together addressing vulnerabilities whilst attackers independently discover and exploit them.
Stay informed about emerging privacy threats through trusted sources covering cybersecurity and privacy developments. Privacy isn’t a one-time configuration but an ongoing practice adapting to evolving threat landscapes.
Last Updated: January 8, 2026
Technical reference: This vulnerability is formally documented as “Careless
Whisper” in peer-reviewed research published via ArXiv (ID: 2411.11194v4,
published 2024) by researchers from the University of Vienna and SBA Research.
It falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
and does not have an assigned CVE number as of January 2026. The lack of CVE
assignment reflects that this is a protocol-level design issue rather than a
traditional vulnerability.
This vulnerability remains active and unpatched at the protocol level. Both
WhatsApp and Signal users are affected. Expect this issue to remain a concern
until either platform implements fundamental architectural changes to delivery
receipt handling or the research community discovers compensating controls. In
the interim, the best defence is understanding your actual threat model and
applying the privacy controls available to you, knowing their limitations clearly.
Disclosure: This article contains affiliate links to Proton services. If you purchase through these links, Baizaar Tools may receive a commission at no additional cost to you. We only recommend privacy tools we’ve researched and believe provide genuine value. Learn more about our transparency and ethical practices.
