WhatsApp, Threema, Signal Vulnerability Can Expose User's Location: Report
KEY POINTS
- Three popular instant messaging apps have a vulnerability
- This can be exploited and allow actors to locate users
- This is alarming especially for apps claiming they are secure and private
There is a way malicious actors can exploit to expose the location of secure instant messenger apps like WhatsApp, Threea and Signal, according to a new report.
Digital privacy advocacy group Restore Privacy reported a vulnerability among secure instant messenger apps that can pinpoint users' location with 80% accuracy depending on the success rate of a "specially crafted timing attack." The report noted that "the trick lies in measuring the time taken for the attacker to receive the message delivery status notification on a message sent to the target."
It explained, "because mobile internet networks and IM app server infrastructure have specific physical characteristics that result in standard signal pathways, these notifications have predictable delays based on the user's position." Based on the report, if one sends a message and determines the amount of time it takes until the receiver gets the said message, the timing will determine the distance the message traveled from the sender to the receiver.
The timing attack, according to the report, can give away the recipient's location by country, region, district, city, and if they are using WiFi- or mobile data. Researchers believe that this vulnerability can be exploited against secure instant messenger apps like WhatsApp, Threema and Signal.
"If the attackers perform enough tests to formulate an extensive dataset against a target, they could infer their position among a set of given possible locations in a city, like 'home,' 'office,' 'gym,' etc., based on nothing else but the delivery notification delay," the report claimed. "These notifications are standard across many popular IM apps, and the researchers confirmed they are exploitable against even the most (generally) secure messenger services, like Signal and Threema, as well as WhatsApp," it added.
The privacy advocacy group is alarmed about the implications of this vulnerability, especially since these apps advertised themselves as secure and private messengers. WhatsApp, for instance, has more than two billion users, while Signal and Threema have around 40 million and 10 million users, respectively.
"The implications of this attack are alarming from a user privacy perspective. These platforms, particularly Signal and Threema, promote themselves as secure and private messengers that go above and beyond the security of other platforms," the group said.
© Copyright IBTimes 2024. All rights reserved.