A group of researchers has warned about a potential vulnerability in popular messaging applications such as WhatsApp or Signal that they have identified in shipment status notification, since a misuse of it can help determine the user’s location.
Applications like WhatsApp, Signal or Threema include a message delivery status notification, that indicates to the sender if it has reached its destination, which in WhatsApp, for example, translates into the two ticks in gray (they turn blue when the contact reads it).
This notification system, however, can provide additional information such as the user’s location, as has been shown in a study carried out by researchers from different universities in Germany, the Netherlands, the United States and the United Arab Emirates.
From this “conceptual threat”, the researchers have concluded that “after a training phase, a messaging user can distinguish different locations of the recipient of messages”, and this based on the time it takes to receive the notification.
Although this communication is understood as digital, since there is no tangible letter, for example, it also has a physical part related to deployed networks and Internet servers, which make distance also influences transmissions.
“We show that sending messages using each of these three messaging services to recipients in different locations results in different and distinguishable delivery notification timing patterns“, state the researchers in the text of the study.
They also point out that an attack of this type could determine the location at the country level where the user is, but also on a smaller scale, like the city. And that would be pretty accurate: “For example, out of three locations within the same city, the sender can determine the correct one with more than 80% accuracy.”