Hackers have found a way to secretly track users on popular messaging apps like WhatsApp and Signal using delivery receipts. These “silent” receipts let attackers monitor device activity without sending visible notifications.
Silent Probing Mechanics
Attackers send crafted messages, such as reactions to non-existent chats or self-reactions, which trigger delivery receipts but produce no alerts on the victim’s phone.
These receipts reveal round-trip times (RTTs) that differ based on device state for instance, screen-on states yield about 1-second RTTs on iPhones, while screen-off states exceed 1 second.
High-frequency pings (sub-second intervals on WhatsApp) enable second-level tracking of online status, app foreground use (300ms RTTs), and multi-device logins, with each companion device (web/desktop) responding independently.
No prior chat is needed; a phone number suffices for “spooky stranger” attacks on both apps.
| Messenger | Stealth Reactions | Multi-Device Tracking | Stranger Access |
|---|---|---|---|
| Yes | Yes (independent) | Yes | |
| Signal | Yes | Yes (independent) | Yes |
| Threema | No | No (synchronized) | No |
Privacy Risks and Fixes
RTT patterns expose routines like sleep schedules (no receipts during offline), office logins (low-jitter LAN), or travel (LTE switches), even fingerprinting OS via receipt stacking.
Resource attacks drain batteries (14-18% per hour on iPhones) or inflate data (13GB/hour via 1MB reactions). Universities disclosed findings in 2024; Meta acknowledged, but no patches by late 2025 Signal ignored reports.
Users cannot turn off receipts or block silently. Developers should add noise to timings, rate limits, stricter validation, and optional receipt toggles.
Threema resists via synchronized receipts. With billions of users affected, an urgent redesign is needed for end-to-end encrypted messengers.
