Exploiting Silent Delivery Receipts to Monitor Users on Instant Messengers (github.com)

A new proof-of-concept tool, developed by researchers at the University of Vienna and SBA Research, exploits the Round-Trip Time (RTT) of delivery receipts on WhatsApp and Signal to track user activity and privacy vulnerabilities. The "Device Activity Tracker" can determine if a user is actively using their device or if it's in standby mode by measuring RTT fluctuations. The tool can also identify location changes and analyze user activity patterns over time, raising significant concerns about the potential for surveillance in widely-used instant messaging applications. This project highlights critical privacy risks associated with messaging platforms by showing how easily attackers can monitor user activity without notifying them. With its ability to assess real-time device state via RTT analysis, the tracker illustrates a serious exploit that remains viable even in the face of existing privacy settings, such as disabling read receipts. As the vulnerabilities persist in both WhatsApp and Signal as of late 2025, the tool serves as an urgent reminder for developers and users to prioritize security measures, such as adjusting privacy settings to mitigate unauthorized tracking.