Tal Be’ery showed that WhatsApp leaks metadata that lets an attacker silently learn when someone is online and which devices they use by exploiting WhatsApp Web and per-device encryption fingerprints. Because any user can contact another by phone number and WhatsApp exposes device keys when a chat is initiated, attackers — from scammers to nation-state APTs — can perform silent pings and device fingerprinting without needing zero-day exploits. #WhatsApp #TalBeery
Keypoints
- Be’ery used a custom WhatsApp Web program to send silent pings that reveal a target’s online habits.
- WhatsApp’s per-device end-to-end encryption keys disclose the types of devices a user has registered.
- An attacker can add a victim’s number without notification to harvest device fingerprints and timing information.
- Metadata leaks enable tailored attacks, surveillance pricing, and targeted spyware by sophisticated actors.
- Meta has applied piecemeal fixes for specific message types, but critics say a broader contact-restriction approach would be more effective.
Read More: https://www.darkreading.com/endpoint-security/whatsapp-leaks-user-metadata