[Privacy Risk] Careless Whisper: Silent Delivery Receipts Enable User Monitoring and Resource Exhaustion Attacks

[Klemart3D]

Guidelines

• I have searched searched open and closed issues for duplicates
• I am submitting a bug report for existing functionality that does not work as intended
• This isn't a feature request or a discussion topic

Bug description

Description

A recent research paper titled "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers" highlights a significant privacy vulnerability in mobile instant messaging apps, including Signal. The paper demonstrates that attackers can exploit silent delivery receipts to monitor users' online/activity status (e.g., screen on/off), infer the number of active devices and their operating systems, and even launch resource exhaustion attacks (e.g., battery or data drain) without the victim's knowledge or consent.

This issue is particularly concerning because:

1. It requires only the victim's phone number to execute.
2. No notification is generated on the victim's device.
3. It affects widely used apps, including Signal.

Steps to Reproduce

The paper describes a method using specifically crafted messages to trigger silent delivery receipts at high frequency. While the exact technical details are in the paper, the core issue lies in how delivery receipts are handled and exposed to potential attackers.

Expected Behavior

Delivery receipts should not be exploitable to monitor users or launch resource exhaustion attacks. Ideally, delivery receipts should either:

• Be disabled by default, or
• Include rate-limiting or authentication mechanisms to prevent abuse.

Additional Context

• The paper was awarded "Best Paper" at RAID 2025.
• The vulnerability is not limited to Signal but affects other major messaging platforms.
• The authors recommend a design change to mitigate these risks.

References

• arXiv:2411.11194
• Authors: Gabriel Karl Gegenhuber et al.

Suggested Mitigations

1. Review how delivery receipts are processed and exposed.
2. Implement rate-limiting or require explicit user consent for delivery receipts.
3. Explore alternative designs that prevent silent monitoring.

Thank you for your attention to this critical privacy issue. Let me know if you need further details or assistance.

Screenshots

No response

Device

No response

Android version

No response

Signal version

No response

Link to debug log

No response

[jeffrey-signal]

Duplicate of #14463. Please refer to this reply: #14463 (comment)