App

Weird flex but ok: WhatsApp less threatened by newly discovered vulnerability than Signal

October 22, 2022
Jill D. Clifton

Popular instant messaging apps can reveal the user’s location, reports the Digital Privacy Advocacy Group restore privacy.
A research team found this out Whatsapp, signal and Threema has a vulnerability that can be exploited by cybercriminals to determine a user’s location with an accuracy of more than 80 percent.

Delivery status notifications can provide clues to your location

People with evil motives can perform what is known as a timing attack, in which an attacker attempts to deduce a user’s location by measuring the time it takes for their message to be delivered. They rely on message delivery status for this critical piece of information.

This can work well because internet networks and messaging app server infrastructure have specific physical properties that result in standard signaling paths. As a result, delivery status notifications have predictable delays based on a user’s location.

An attacker can measure these delays to find out a recipient’s country, city, or county, and can even find out if they’re using WiFi or mobile internet.

For more accurate locations, an attacker can perform this exercise multiple times, creating a dataset to determine the location among a number of different possible locations such as the victim’s home, office, and gym.

For this attack to work, the attacker and target must know each other and have spoken to each other before.

WhatsApp is used by 2 billion people around the world, and although Signal and Threema with 40 million and alarming for users of these two apps respectively.

In fact, Signal and Threema appear to be more vulnerable to these attacks, as the timing attack can be used to infer the location of Signal users with 82 percent accuracy and Threema users with 80 percent accuracy. For WhatsApp, that figure is 74 percent, and while that’s also worrying, we would have expected the gap to be larger.

The report seems to imply that both iOS and Android users are equally vulnerable.

How to thwart the timing attack

The researchers found that the attack is unlikely to work with devices that are idle when receiving a message. Hence, they have suggested that developers show random delivery confirmation times to senders. If the timing is off by 1 to 20 seconds, it would render the timing attack useless without affecting the practical usefulness of delivery notifications.

Users who are concerned about location privacy can try disabling the delivery notification feature, as long as it is supported by the app of their choice. Assuming the app isn’t set up to bypass a VPN (virtual private network), users can use a VPN to increase latency or lag.

RestorePrivacy contacted the manufacturer of the apps in question and received the following response from Threema:

We’ve already considered various workarounds and run various tests, including ones where the client randomly slightly delays delivery notifications, to make this type of time analysis useless. (App updates with this improvement should be available soon.)

Please note, however, that the practicality of these timing analyzes is debatable: users typically don’t have their Messenger app open all the time, and push notifications waking up the app in the background already cause a significant delay of up to several seconds.