Vulnerability Report – Metadata Leakage via Reactions + Delivery Receipts #6167
Description
Summary: A privacy vulnerability exists in Signal where combining message reactions with delivery/read receipts enables adversaries to infer user activity patterns and correlate Signal accounts with WhatsApp accounts. This undermines Signal’s core privacy guarantees by leaking metadata even without breaking encryption.
Severity Rating:
Impact: High (user activity tracking, cross-platform correlation)
Likelihood of Exploitation: Medium–High (requires only controlled message sending and monitoring)
Overall Severity: High
Steps to Reproduce:
Attacker sends a controlled message to a target account.
Attacker monitors reaction acknowledgments to confirm target activity.
Attacker pairs this with delivery/read receipts to establish precise timing.
Using timing correlation, attacker can link Signal and WhatsApp accounts belonging to the same user.
Observed Behavior:
-
Reactions generate acknowledgments that reveal when a user is online.
-
Delivery/read receipts provide precise timing metadata.
-
Together, these allow adversaries to track user behavior across platforms.
Expected Behavior:
- Reactions and receipts should not expose metadata that can be correlated to track users.
- Signal should prevent adversaries from inferring cross-platform activity.
Recommendations for Mitigation:
- Decouple reactions from delivery receipts to prevent correlation.
- Batch or delay receipts to reduce timing precision.
- Provide user option to disable reactions and receipts entirely for high‑risk users.
4.Audit metadata exposure to identify and eliminate unintended correlation vectors.
Proof of Concept Reference: The issue is demonstrated in the video: “Hack Reactions + Receipts = Track Anyone” (YouTube link: https://www.youtube.com/watch?v=HHEQVXNCrW8)..