Security researchers have uncovered a critical vulnerability in messaging delivery receipts that allows attackers to monitor user activity without detection.
VIENNA - A critical privacy vulnerability affecting more than 3 billion users worldwide has been identified in two of the world's most secure messaging platforms, WhatsApp and Signal. Security researchers have detailed a new exploit method dubbed "Careless Whisper," which leverages the mechanical function of delivery receipts to allow attackers to silently monitor user activity without ever notifying the victim.
The discovery, led by a team from the University of Vienna in collaboration with SBA Research and Intigriti, fundamentally challenges the perceived invulnerability of end-to-end encrypted messaging apps. By crafting specially designed messages, hackers can trigger delivery receipts on a target's device while the message itself remains invisible. This allows malicious actors to extract sensitive data about user behavior, device status, and network presence without the user's knowledge.
Table of contents [Show]
The core of the vulnerability lies not in the encryption of the message content, which remains secure, but in the metadata generated by the app's operational protocols. According to the research paper presented at RAID 2025, the flaw exploits the automated feedback loops that tell a sender when a message has been delivered.
In a standard interaction, a user sees a double checkmark (WhatsApp) or filled circle (Signal) when their message lands on the recipient's phone. The "Careless Whisper" exploit manipulates this system. Attackers send malformed or specifically crafted data packets that force the recipient's device to emit a delivery receipt, yet the application suppresses the notification or display of the message itself.
"Attackers craft special messages that trigger silent delivery receipts, leaving no notification on the victim's device, enabling continuous monitoring without detection. The vulnerability exploits message reactions, edits, and deletions." - GBHackers
This "silent ping" capability allows an attacker to map a user's activity patterns. By analyzing when receipts are generated, a threat actor can determine when a user is online, their battery status, and potentially infer their location based on network latency variations. The researchers noted that these attacks can also lead to "resource exhaustion," draining the victim's data quota and battery life through continuous, invisible pinging.
This revelation caps a turbulent year for mobile security. In February 2025, Meta confirmed a separate zero-click spyware attack that targeted approximately 90 journalists and activists. That incident involved malicious PDF files that deployed spyware without any user interaction. The recurrent nature of these vulnerabilities highlights a growing sophistication in how state-sponsored entities and cybercriminals bypass user defenses.
While WhatsApp and Signal are renowned for their use of the Signal Protocol for encryption-ensuring that not even the service providers can read message content-metadata remains a contested battleground. As noted by Techxplore, "end-to-end encryption protects the content of messages, but not necessarily the associated metadata." This distinction is crucial; intelligence agencies and private surveillance firms often rely on metadata (who is talking to whom, when, and from where) rather than content to build profiles on targets.
The researchers responsible for discovering "Careless Whisper" followed responsible disclosure protocols, submitting their findings to both WhatsApp and Signal prior to public release. Recent reports indicate that platforms are moving to address these gaps.
According to Malwarebytes, WhatsApp recently closed a loophole in November 2025 that had allowed researchers to scrape data on 3.5 billion accounts. Furthermore, BankInfoSecurity reported that WhatsApp successfully neutralized a separate exploit in late 2024 via a server-side fix, demonstrating the company's capability to patch certain vulnerabilities without requiring user action.
The strategic value of such vulnerabilities cannot be overstated. In an era where dissidents, journalists, and government officials rely on Signal and WhatsApp for confidential communication, the ability to silently track user availability is a potent tool. The The Intercept previously reported on assessments suggesting that "clever observation of encrypted data"-correlation attacks-can thwart privacy protections, a technique of high interest to government surveillance programs.
For the general public, the "Careless Whisper" flaw represents a subtle but significant erosion of digital privacy. It moves the threat boundary from "hacking into a phone" to simply "interacting with the network." If an attacker can drain a battery or track sleep patterns merely by sending invisible messages, the concept of a "private" device is fundamentally compromised.
Security experts anticipate a continued arms race between platform developers and security researchers. As simple message content becomes harder to access due to robust encryption, attackers will increasingly focus on side-channel attacks like delivery receipts and typing indicators.
Users are advised to keep their applications updated to the latest versions, as fixes for these logic flaws are often rolled out in standard updates. However, the nature of the "Careless Whisper" attack-exploiting the fundamental design of instant messaging confirmation-suggests that a complete resolution may require a rethinking of how delivery receipts function in secure environments.
An Indian tech CEO shares insights from 25 years of experience, arguing that AI is an amplifier, not a replacement. The article explores 10 real-world case studies where human empathy, creativity, and strategic thinking remain irreplaceable in business and society.
An Indian tech CEO argues that AI is an amplifier, not a replacement for humans. The article explores 10 real-world case studies, from medicine to leadership, where human empathy, creativity, and strategic thinking remain fundamentally superior to algorithms.
An in-depth look at why AI is a tool for human augmentation, not replacement. This article explores 10 case studies where human skills like empathy, strategic thinking, and ethical judgment remain superior, arguing for a future built on human-AI collaboration.
