Security researchers have identified a flaw in WhatsApp and Signal that allows third parties to track user activity in near real time. The issue is linked to how both messaging services handle delivery receipts, which confirm that a message has reached a device. By repeatedly sending messages and measuring response timing, an observer can determine whether a target is online, offline or actively using their phone. The process does not trigger notifications, leaving users unaware that monitoring is taking place.
Researchers said the technique relies on analysing small variations in network response times. These differences can reveal when a device connects or disconnects from the network and when a user becomes active after a period of inactivity. Because delivery receipts are a core part of the messaging process, users cannot disable them through standard privacy settings. This makes the behaviour difficult to block without changes to the underlying system used by the apps.
In addition to revealing activity patterns, the method can be used to drain device resources. High-frequency probing increases background data use and battery consumption. Over time, this can reduce battery life and affect device performance even when the user is not actively engaging with the apps. Researchers noted that this aspect of the flaw increases its potential impact because it combines privacy exposure with resource exhaustion.
The issue affects both WhatsApp and Signal because they share similar design choices in how delivery acknowledgements are managed. Delivery receipts differ from read receipts, which indicate whether a message has been opened and can usually be disabled by users. Delivery receipts confirm receipt at a technical level and remain active by default. Researchers said that this design choice unintentionally exposes timing information that can be exploited.
Security specialists said the flaw highlights broader challenges in protecting user privacy in large-scale messaging platforms. Features designed to improve reliability can also create side channels that reveal behavioural data. Limiting contact from unknown numbers may reduce exposure, but it does not fully address the underlying issue. Disabling read receipts offers no protection against this form of tracking.
Researchers said that addressing the problem would likely require changes to how delivery acknowledgements are handled at a protocol level. Until such changes are made, users concerned about tracking should be aware that their online status and activity patterns may be inferred without direct access to their accounts. The finding underscores the complexity of balancing functionality and privacy in widely used communication services.