this post was submitted on 19 Dec 2025
67 points (88.5% liked)
Cybersecurity
8813 readers
94 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Security expert here.... This issa nothing Burger and will be fixed on the server side soon I expect. This is about spreading fear uncertainty and doubt. The research is academic in nature and the results are interesting, but this is only a side channel to reveal things like maybe you rough timezone and maybe a few correlations via connectivity quality. This is what they do if they need to confirm if a person uses the same phone number for example. And the could just look it up in the registry or maybe just call you...
This is not a widespread privacy concern, is not very practical to use, especially at scale and is early fixable. Its comparable to the traffic pattern analysis they do to confirm tor users identity if they found them but need supporting evidence. Its what's left when the technology works as intended. So chill your paranoia.
IT hobbyist here. This guy knows his stuff. Dangerous attacks are the ones that are very low effort with medium to high reward. This attack is high effort and low reward. This is one of these trivia things, that you will virtually never see in the wild.
High effort is not a great thing to count on. Once these things are discovered there are all sorts of clever (or not so clever) ways to automate the effort away. Especially now with AI.
This is not high effort. Starting from an open source WhatsApp client library, reproducing the attacks described in the research paper is trivial. There are even a few public github repos implementing PoCs of this.
Whether the reward should be considered high or low is ultimately subjective. What is objectively verifiable, however, is that an attacker can continuously (and silently) monitor several aspects of a target’s environment, including:
In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance.
While I appreciate your refusal to spread panic, would you mind explaining what the attack does and why it's a nothingburger, maybe even why it's not practical? Because right now, you assert a lot of things without any explanation.
Not saying you're wrong, but I think it's good practice to not just rely on claims of authority
Very simplified: assume you send somebody a signal messages every second and observe the timing of the "delivered" icon. They do the same but the messages are invisible and they time the icon very exactly.
It’s also worth considering the Signal threat model: a contact you communicate with is not considered an adversary. You can choose not to accept an initial message request.
I believe Signal has already fixed it, while meta said they won't fix this in WhatsApp.
This side channel can be used to infer more than a rough timezone, specifically, an attacker could continuously monitor :
In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance
I've tested this on myself and can confirm all of this can be done reliably