Careless Whisper: Exploiting Stealthy End-to-End Leakage in Mobile Instant Messengers

A majority of the global population relies on mobile instant messengers for personal and professional communication. Besides plain messaging, many services implement convenience features, such as delivery- and read receipts, informing a user when a message has successfully reached its target. Furthermore, they have widely adopted security and privacy improvements, such as end-to-end encryption. In this paper, we show that even when messages are sufficiently encrypted, private information about a user and their devices can still be extracted by an adversary. Using specifically crafted messages that stealthily trigger delivery receipts allows arbitrary users to be pinged without their knowledge or consent. We demonstrate how an attacker could extract private information, such as the number of user devices, their operating system, and their online- and activity status. Moreover, we show the feasibility of resource exhaustion attacks draining a user's battery or data allowance. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal), we show that over two billion customers can be targeted simply by knowing their phone number.