Your Secure Messenger is Spying on You (And You Can’t Turn It Off)

Researchers from the University of Vienna published 'Careless Whisper,' exposing a serious vulnerability in WhatsApp and Signal. By exploiting delivery receipts — which cannot be disabled — attackers can silently ping a victim's phone up to 20 times per second using invisible ghost reactions. Analyzing round-trip timing reveals whether the phone is in use, the network type, device model, and even physical location patterns. Multi-device setups amplify the risk by leaking work hours and commute schedules. WhatsApp's lack of rate limiting also enables resource exhaustion attacks: forcing 13.3 GB/hour of hidden data downloads and draining an iPhone 11 battery by 18% per hour. The attacker only needs the victim's phone number — no prior contact required. Both Meta and Signal were notified in September 2024 but have not issued fixes. Mitigations include restricting phone number visibility on Signal and enabling unknown account blocking on WhatsApp.