dChan
Anonymous ID: 9d159e Nov. 22, 2025, 11:12 a.m. No.23889238   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>9249 >>9486 >>9702 >>9896

https://www.youtube.com/watch?v=B9Syj555RQc

 

UNPATCHED "Design Flaw" in E2E encryption apps tracks EVERYTHING you do

 

End to end encrypted messaging apps, such as WhatsApp and Signal, have a shocking, high severity unpatched side channel vulnerability, that can be exploited by any government, intelligence agency, law enforcement agency, and even private company or individual person, the ability to build a complete profile on you, including what devices you use, how long you use them for, who you're communicating with, your daily sleeping habits, working habits, when you physically move, when you're at home, when your on Wi-Fi vs cellular data, the exact times and durations of when you make phone calls, and so much more, without knowing anything other than your phone number. Whether you're a pen tester, security researcher, or cyber security expert, I hope you'll find this attack as fascinating as I did.

 

Official Source:

https://arxiv.org/pdf/2411.11194

 

0:00 โ€“ Overview

1:53 - End-to-end encryption background

3:21 โ€“ Multi-device support

6:31 โ€“ Message delivery & receipts

8:03 โ€“ Attack vector

10:42 โ€“ Timing side-channel

11:35 โ€“ Video demo

12:23 โ€“ Severe information leaks

15:57 โ€“ Solutions and implications

17:36โ€“ Can you do anything yourself?

18:18 - Very interesting personal finding + demo

Anonymous ID: 9d159e Nov. 22, 2025, 11:14 a.m. No.23889249   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>9269

>>23889238

>Official Source:

>https://arxiv.org/pdf/2411.11194

 

Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers

 

https://arxiv.org/abs/2411.11194

 

With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users. We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent. By using this technique at high frequency, we demonstrate how an attacker could extract private information such as the online and activity status of a victim, e.g., screen on/off. Moreover, we can infer the number of currently active user devices and their operating system, as well as launch resource exhaustion attacks, such as draining a user's battery or data allowance, all without generating any notification on the target side. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal) and the fact that any user can be targeted simply by knowing their phone number, we argue for a design change to address this issue.