The "Careless Whisper" Attack: How Delivery Receipts Track 3 Billion Messaging Users

The Bottom Line

Security researchers discovered a way to track Signal and WhatsApp users in real-time using nothing but their phone number. The attack exploits delivery receipts, those little checkmarks that tell you a message was delivered. Researchers warned Meta and Signal Foundation in 2024. As of December 2025, neither has patched the flaw at the protocol level.

What's the Vulnerability?

Researchers from the University of Vienna and SBA Research discovered what they call the "Careless Whisper" attack in 2024. A proof-of-concept tool called "Device Activity Tracker" demonstrates how anyone can exploit it [1].

How it works:

  1. Attacker sends reaction messages to invalid message IDs (you never see them)
  2. Your phone automatically sends delivery receipts back
  3. The round-trip time reveals whether your phone is active, idle, or offline
  4. By probing every 50 milliseconds, attackers build a real-time activity profile

Active phones respond in under a second. Idle phones take longer. This timing difference is enough to track your activity patterns without any interaction from you.

What Can Attackers Learn?

Activity Patterns

When you wake up, when you sleep, when you're at work, when you're traveling. Your phone's response times reveal your daily routine.

Location Inference

Network transitions (WiFi to cellular) create distinct timing signatures. Attackers can detect when you move between locations.

Online Status

Real-time monitoring of whether you're actively using your phone, even with "last seen" disabled.

Device State

Whether your phone is locked, unlocked, in do-not-disturb mode, or airplane mode.

The Weaponized Side Effects

The tracking attack has nastier variants that can harm your device:

Battery Drain Attack

By flooding your phone with high-frequency probing messages, attackers can drain your battery at alarming rates:

  • iPhone: 14-18% battery drain per hour (vs. normal <1%)
  • Samsung: 15% battery drain per hour

Your phone works overtime processing invisible messages and sending receipts. You just see your battery mysteriously dying.

Data Exhaustion Attack

By sending oversized reaction payloads, attackers can consume:

  • Up to 13.3 GB of data per hour
  • Burns through mobile data plans
  • Could cause overage charges

All while you see nothing unusual in the app.

WhatsApp vs Signal: Different Vulnerabilities

WhatsApp (More Vulnerable)

  • No rate-limiting on receipt messages
  • Fully vulnerable to high-frequency tracking
  • Battery/data attacks work at full speed
  • 2+ billion users affected

Signal (Partially Protected)

  • Stricter rate limits enforced
  • Battery/data exhaustion attacks mitigated
  • Delivery receipts still issued (tracking works)
  • 100+ million users affected

Threema was tested and does not exhibit this vulnerability. The researchers excluded it from their proof-of-concept tool.

Who's At Risk?

Anyone with a phone number linked to WhatsApp or Signal can be tracked. But some people face higher stakes:

  • Journalists: Sources can be tracked, schedules mapped
  • Activists: Protest attendance, meeting times revealed
  • Domestic abuse survivors: Abusers can monitor activity patterns
  • Dissidents: Authoritarian governments can track targets
  • Anyone with a stalker: Real-time activity monitoring

CISA warned in November 2025 that state-backed actors are actively targeting Signal and WhatsApp accounts of "high-value" individuals including government officials [2].

Why Hasn't This Been Fixed?

Researchers notified both Meta (WhatsApp) and Signal Foundation in 2024. Neither has implemented a protocol-level fix.

The problem: Delivery receipts are a core feature. Removing them entirely would break functionality users expect. Delaying them would degrade user experience. Rate-limiting helps but doesn't eliminate tracking, it just slows it down.

The reality: Both companies have known about this for over a year. WhatsApp, owned by Meta, a $1.5 trillion company, hasn't implemented rate limits. Signal has rate limits but still issues receipts that enable tracking.

This is a design flaw, not a bug. Fixing it requires rethinking how delivery confirmations work. Neither company has prioritized that.

How to Protect Yourself

WhatsApp Users

Enable "Block unknown messages":

  1. Open WhatsApp → Settings → Privacy
  2. Tap "Advanced"
  3. Enable "Block unknown messages"

Limitation: WhatsApp doesn't define "high volume" clearly. Moderate probing might still work. And you must have this setting enabled before an attack begins.

Disable read receipts:

  1. Settings → Privacy
  2. Disable "Read receipts"

Note: This disables read receipts (blue checkmarks) but NOT delivery receipts (gray checkmarks). The vulnerability exploits delivery receipts, so this only partially helps.

Signal Users

Disable read receipts:

  1. Settings → Privacy
  2. Disable "Read receipts"

Signal's rate limiting provides some protection against battery/data attacks but doesn't prevent tracking.

For High-Risk Users

  • Use Threema: Not vulnerable to this attack, doesn't require phone number
  • Use Session: No phone number required, decentralized
  • Use SimpleX: No persistent identifiers
  • Compartmentalize: Separate phone numbers for different contexts
  • Monitor battery: Sudden unexplained drain could indicate attack

The Bigger Problem

This vulnerability exposes a fundamental tension in encrypted messaging:

End-to-end encryption protects message content. Your texts, photos, and calls are encrypted so only you and the recipient can read them. That's real protection.

Metadata is still exposed. When you're online, who you talk to, how often, for how long, this "metadata" reveals patterns that can be just as dangerous as message content. Delivery receipts are metadata.

Intelligence agencies have said for years: "We kill people based on metadata." The Careless Whisper attack shows how a simple feature like delivery receipts becomes a surveillance channel.

What Should Happen

WhatsApp needs to:

  • Implement strict rate limiting immediately
  • Add random delays to delivery receipts
  • Let users disable delivery receipts entirely (not just read receipts)

Signal needs to:

  • Randomize receipt timing to prevent timing analysis
  • Add option to disable delivery receipts completely
  • Consider making receipts opt-in rather than default

Both need to:

  • Take the vulnerability seriously instead of ignoring it for a year
  • Be transparent about what they're doing to fix it

What You Should Do Right Now

  1. Enable WhatsApp's "Block unknown messages" - Partial protection is better than none
  2. Disable read receipts on both apps - Reduces metadata exposure
  3. Watch your battery - Sudden drain could indicate attack
  4. Consider alternatives - Threema, Session, SimpleX for sensitive communications
  5. Pressure the companies - This has been known for over a year. Make noise.

See our step-by-step guide to delivery receipt privacy settings for detailed instructions on both platforms.

The Pattern

A researcher discovers a vulnerability. They responsibly disclose it. A year passes. Nothing changes. The tool goes public. Billions of users remain vulnerable.

This is how privacy erodes. Not through dramatic hacks, but through convenient features that become surveillance channels. The checkmarks that tell you someone got your message? They're also telling anyone who cares to look when you're awake, when you're asleep, and where you are.

Meta is worth $1.5 trillion. They haven't implemented rate limiting on a known vulnerability affecting 2 billion users. Signal is a nonprofit focused on privacy. They've had a year to randomize receipt timing.

The fix isn't technically difficult. The priority just isn't there.

Until it is, your "secure" messaging apps are tracking you.


References

  1. Cyber Insider - Tool allows stealthy tracking of Signal and WhatsApp users through delivery receipts
  2. The Register - CISA: Spyware crews breaking into Signal, WhatsApp accounts (November 2025)
  3. "Careless Whisper" - University of Vienna and SBA Research, 2024
  4. Device Activity Tracker proof-of-concept - GitHub (gommzystudio)