this post was submitted on 19 Dec 2025
57 points (89.0% liked)

Cybersecurity

8810 readers
159 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social
57
WhatsApp, Signal, untraceable security risk (www.techradar.com)
submitted 10 hours ago by Spot@startrek.website to c/cybersecurity@sh.itjust.works
17 comments fedilink hide all child comments
 

Three billion WhatsApp users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it

top 17 comments
sorted by: hot top controversial new old
[–] Nomad 28 points 7 hours ago (3 children)

Security expert here.... This issa nothing Burger and will be fixed on the server side soon I expect. This is about spreading fear uncertainty and doubt. The research is academic in nature and the results are interesting, but this is only a side channel to reveal things like maybe you rough timezone and maybe a few correlations via connectivity quality. This is what they do if they need to confirm if a person uses the same phone number for example. And the could just look it up in the registry or maybe just call you...

This is not a widespread privacy concern, is not very practical to use, especially at scale and is early fixable. Its comparable to the traffic pattern analysis they do to confirm tor users identity if they found them but need supporting evidence. Its what's left when the technology works as intended. So chill your paranoia.

[–] halfdane@lemmy.world 1 points 1 hour ago

While I appreciate your refusal to spread panic, would you mind explaining what the attack does and why it's a nothingburger, maybe even why it's not practical? Because right now, you assert a lot of things without any explanation.

Not saying you're wrong, but I think it's good practice to not just rely on claims of authority

[–] pcouy@lemmy.pierre-couy.fr 1 points 3 hours ago

I believe Signal has already fixed it, while meta said they won't fix this in WhatsApp.

This side channel can be used to infer more than a rough timezone, specifically, an attacker could continuously monitor :

  • the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
  • the locked or unlocked state of the target’s phone
  • whether the phone is connected via Wi-Fi or a mobile network
  • whether the WhatsApp application or browser tab is running in the foreground or background.

In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance

I've tested this on myself and can confirm all of this can be done reliably

[–] hoshikarakitaridia@lemmy.world 7 points 7 hours ago (1 children)

IT hobbyist here. This guy knows his stuff. Dangerous attacks are the ones that are very low effort with medium to high reward. This attack is high effort and low reward. This is one of these trivia things, that you will virtually never see in the wild.

[–] pcouy@lemmy.pierre-couy.fr 0 points 6 hours ago* (last edited 6 hours ago)

This is not high effort. Starting from an open source WhatsApp client library, reproducing the attacks described in the research paper is trivial. There are even a few public github repos implementing PoCs of this.

Whether the reward should be considered high or low is ultimately subjective. What is objectively verifiable, however, is that an attacker can continuously (and silently) monitor several aspects of a target’s environment, including:

  • the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
  • the locked or unlocked state of the target’s phone
  • whether the phone is connected via Wi-Fi or a mobile network
  • whether the WhatsApp application or browser tab is running in the foreground or background.

In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance.

[–] Cyber@feddit.uk 5 points 5 hours ago* (last edited 5 hours ago)

Bit too much FUD here.

Traditional antivirus software does not detect protocol-level misuse.

I don't think it ever did... you'd be looking for a (N)IDS for that function

I don't use either application, but I suspect that most of this theory could be used on Jabber clients too...

It's a novel way to do recon, but you'd already need to know much more about a target to be able to use the data.

But... good to know about.

[–] Tollana1234567@lemmy.today 4 points 5 hours ago

isnt whatapp owned by meta?

[–] thefluffiest@feddit.nl 7 points 8 hours ago (3 children)

I’ve read the article - but what can an attacker actually DO using this technique? Drain battery? The article mentions ‘tracking’, but in what way?

[–] cron@feddit.org 3 points 6 hours ago

I guess that it could also be used to compare different people. Do they have fast and slow connections at about the same time? Then they might be spending time together.

This is clearly not for mass espionage, but at least a theoretical approach to confirm a suspicion.

[–] HakunaHafada@lemmy.dbzer0.com 3 points 7 hours ago

The article states patterns could be drawn from response times. Fast response times could indicate a high-availability, low-latency network (such as being at home), where longer response times could indicate the phone is away from that network, whether on the road or at a store or business, etc.

[–] Goretantath@lemmy.world 6 points 9 hours ago (2 children)

My phone has the exact symptoms described in this article.. I don't like this..

[–] wizardbeard@lemmy.dbzer0.com 9 points 9 hours ago

You can mitigate (but not entirely stop the technique) by WhatsApp Settings, select Privacy, go to Advanced, and enable “Block unknown account messages.” and also disabling read receipts.

You could also uninstall the app and see if your battery usage reduces, or check in your phone's battery usage statistics for WhatsApp using a lot of it.

[–] cron@feddit.org 2 points 6 hours ago

Battery draw? There are other explanations that are far more likely.

[–] NaibofTabr 3 points 8 hours ago (1 children)

Shit... I can't imagine anything that would prevent a service provider or government from doing this all the time to everyone.

[–] cron@feddit.org 4 points 6 hours ago (1 children)

A service provider has no reason to do this. They see you moving around all the time. They can likely determine your location as close as a few hundred meters.

[–] NaibofTabr 1 points 4 hours ago* (last edited 4 hours ago)

It's not just about location, you can figure out usage habits this way:

These response times vary depending on whether a phone is active, idle, offline, connected to WiFi, or using mobile data.

Stable and fast responses can suggest that a device is actively used at home, while slower or inconsistent timings may indicate movement or weaker connectivity.

Over extended periods, these patterns can reveal daily routines, sleep schedules, and travel behavior without accessing message content or contact lists.

With a baseline of your normal usage behavior, I can start to build prediction patterns for what you'll do and when, and then start analyzing deviations from your normal usage. If I do this for an entire service network I can then start to link up people with similar behavior patterns and build relationship webs.

That kind of information would be relatively easy to sell to advertising businesses. For example, if I'm pushing ad notifications on personal devices (Amazon) then I might want to know what times of day a user is most likely to view and interact with my ad notification. That might be information I'd be willing to buy from a service provider.

The potential uses for such information get darker from there - things like government agencies tracking the behavior of critics and progressives and building relationship profiles for them.

Given the usage patterns and location tracking and credit card and banking records for a given individual, I can pretty much understand their entire life.