Weak security in WhatsApp and Signal allows low-skill attackers to track users

Tracking WhatsApp (symbolic image created with Stable Diffusion) Researchers at the University of Vienna have uncovered vulnerabilities within WhatsApp and Signal that allow undetectable user tracking through round-trip time (RTT) measurements. A simple program now available on GitHub demonstrates how easily this weakness can be exploited. Marc Herter (translated by Marc Herter), Published 12/11/2025 🇩🇪 A group of researchers from the University of Vienna has found a small but serious security hole in the way end-to-end encrypted (E2EE) messaging services work. The study, initially published on November 17, 2024, under the title “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers,” highlights the possibility of tracking devices using Round-Trip Time (RTT) data when WhatsApp or Signal are installed. A program has now been released on GitHub that can automatically exploit this vulnerability in WhatsApp. While the provision of such a tool raises ethical concerns, its purpose is intended to pressure WhatsApp into addressing the security gap and improving user privacy protections. It turns out the basic idea behind that program is surprisingly simple. The tracker sends reaction messages to non-existent message IDs. The target device still replies with a delivery receipt. This reaction, invisible to the
Read More