Careless Whisper Exploiting Silent Delivery Receipts to Moni...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://arxiv.org/html/2411.11194v4
• Blog Title: Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers
• Suggested Section: Generic Methodologies & Resources -> Side-Channel Attacks on Messaging Protocols (Delivery Receipts in E2EE Messengers)

🎯 Content Summary

This work shows how delivery receipts in end-to-end encrypted (E2EE) mobile messengers (WhatsApp, Signal, Threema) can be turned into a high‑resolution timing and multi‑device side channel for surveillance and stealthy resource exhaustion, even though message contents are protected by E2EE.

How delivery receipts work in modern E2EE messengers.
WhatsApp and Signal use protocols where servers only forward ciphertext; most protocol logic (error handling, re‑encryption, re...

🔧 Technical Details

Timing side‑channel via non‑disableable delivery receipts.
Any E2EE messenger that uses device‑ack delivery receipts for reliability exposes a timing side channel: the RTT between sending a trigger and receiving the device‑ack leaks network and device processing delays. By choosing a message type that always generates a receipt but is UI‑silent (e.g., certain reactions/edits/deletes), an attacker can probe at high frequency (≈1 Hz) and build long time‑series of RTTs. These traces are then used to infer screen on/off states, app foreground/background, and coarser device‑presence properties.

Stealth probing in existing chats via self‑reactions and invisible removals.
In WhatsApp and Signal, users can react to their own messages. Reactions to self‑messages produce device‑acks but no notifications for the conversation partner. Furthermore, removing a reaction is implemented as sending a reaction with an empty string payload, which is fully invisible in...

🤖 Agent Actions

Summary:

• Added a new Side-Channel Attacks on Messaging Protocols page describing how silent delivery receipts in WhatsApp, Signal, and Threema can be abused for timing side channels, multi-device fingerprinting, behavioral inference, and resource exhaustion. The page documents attacker models, tooling, workflows for “creepy companions” and “spooky strangers,” reuse of edits/deletes, amplification via client-fanout, and defensive strategies, plus references to the original research and supporting tooling.
• Linked the new resource from the Pentesting Methodology “MORE” section so it is discoverable from the generic methodologies index.

Tests: Not run (not required).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 916
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://arxiv.org/html/2411.11194v4

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Side-Channel Attacks on Messaging Protocols (Delivery Receipts in E2EE Messengers)".

Repository Maintenance:

• MD Files Formatting: 916 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0