WhatsApp Leaks User Metadata to Attackers TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityNorth Korea Uses ClickFix to Target macOS Users' DataNorth Korea Uses ClickFix to Target macOS Users' DatabyAlexander CulafiApr 16, 20263 Min ReadApplication SecurityCritical MCP Integration Flaw Puts NGINX at RiskCritical MCP Integration Flaw Puts NGINX at RiskbyJai VijayanApr 15, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityMobile SecurityVulnerabilities & ThreatsCyber RiskNewsWhatsApp Leaks User Metadata to AttackersStrangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity.Nate Nelson,Contributing WriterApril 20, 20267 Min ReadSource: stLegat via Alamy Stock PhotoTal Be'ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn't share this information with him. All he had was my phone number.I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he'll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn't require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp's own design choices.Dark Reading contacted WhatsApp in the process of reporting this story. The company made no official statement but did confirm the details of Be'ery's findings and alluded to mitigations it's been working on to address the areas of his research WhatsApp deems significant.Related:Two-Factor Authentication Breaks Free from the DesktopSilent PingsIn 2024, Austrian researchers described a series of ways that WhatsApp users can send recipients application-layer messages that don't actually show up on the victim's device. With a custom program plugged into the WhatsApp Web protocol, one could, for instance, send a reaction to a message that doesn't exist. Nothing will happen in the recipient's app, but the sender will still be able to infer if they were active and online, based on the time it takes to get a delivery receipt in return.Presumably, if an attacker used such a program to constantly, silently ping a recipient's device, they could paint a picture of their victim's online habits when their victim is online — their sleep or work schedule, when they might be primed to receive the right kind of phishing message, etc. — or perform a resource exhaustion attack, draining the recipient's battery slowly without their knowing why.It's even easier to find out what kinds of devices a victim is using, thanks to a quirk in WhatsApp's flagship security feature. The app provides end-to-end encryption for all chats, to the extent that even WhatsApp itself cannot pry into your texts. To make that happen, each device registered to one's WhatsApp account has its own "fingerprint": private key material and an ID, which differ depending on the underlying operating system (OS). When a sender triggers a new chat with a recipient, behind the scenes, they receive the key material and IDs for the devices that recipient has registered with WhatsApp. Ipso facto, by merely adding a victim to one's contact list — an action that does not alert the victim in any way — an attacker can learn what kinds of devices they use WhatsApp on.Related:Microsoft's Original Windows Secure Boot Certificate Is Expiring"With end-to-end encryption, if someone attacks WhatsApp's servers, they cannot read your data, and even WhatsApp cannot read your data. But the flip side of this coin is that WhatsApp also cannot protect you," Be'ery explains.Device information might not sound interesting, and WhatsApp isn't the only messaging system that leaks it. Apple's iMessage does so much more visibly, in fact, via its famous blue and green text bubbles. Be'ery's security report on this subject did not meet WhatsApp's threshold for generating a CVE, but the researcher argues that device fingerprinting is useful to bad actors.At the benign end of the spectrum, companies could use that kind of information to perform surveillance pricing. "You're a potential customer, and I need to know what price to suggest to you. So I have a tell. Maybe you're willing to pay more because you're an iPhone user, and you also have an iPad, and not cheaper Android-based devices."Related:Orange Business Reimagines Enterprise Voice Communications With Trust and AIIn the shady world of spyware, powerful threat actors need to ultra-tailor their attacks to specific operating systems. Armed with this knowledge, nation-states can purchase and deploy tools tailored to their specific targets' devices. In his experiments on me, Be'ery went one step further: He sent a message to my desktop, which never arrived on the other devices on which I have WhatsApp installed. "A properly implemented client would have sent it to all three of the devices. But with a rogue client, then I can send to just one, and if I had a Web exploit, then I would send it to just that device," he explains.WhatsApp's Core ProblemIf an unrecognized number has ever sent you a WhatsApp message simply saying "Hi" without elaborating, or added you to a huge group chat about cryptocurrencies, you'll know that there's nothing standing in between you and the bad actors of the world on Meta's chat app.Any WhatsApp user can message any of its other 3.5 billion users, so long as the sender knows — or guesses — the right phone number. "From a product perspective, of course it makes a lot of sense," Be'ery acknowledges. "Initially, when you're a small company, before you build your network effect, you don't want to have any friction. You want people to talk to each other."Even compared to other social apps, though, it's highly permissive. "On social networks like LinkedIn or Facebook, I can only get messages from people within my contacts list. And there is a way like a minimal interface for requesting to connect, which cannot contain all kinds of weird data. So it's much more limited, and this creates a much lesser attack surface," Be'ery explains.WhatsApp's open policy about who can contact whom is what enables Be'ery to track this reporter's online habits, pig butchers to frictionlessly reach your parents, and governments to attack dissidents and journalists with 0-click spyware. Although in the latter case, targets who know they're targets can enable WhatsApp's new "Strict Account Settings" feature, at some cost to their user experience.Does WhatsApp Need To Be Fixed?Thus far, Meta hasn't been interested in changing such a fundamental feature of its application logic, for such reasons as Be'ery suggests. Instead it's been working around the problem with features like "Silence Unknown Callers," rate limiting, and more microscopic fixes.Right around the beginning of the year, for instance, Be'ery noticed that the means by which he could fingerprint Android devices running WhatsApp no longer worked. Because iPhones still leak sufficient metadata, and there isn't a third major mobile OS, the outcome is moot for now. In general, partly in response to Be'ery's research, the developers have quietly been eliminating some means of sending silent pings.Be'ery takes issue with this approach. "They're going message type by message type. It's a bit of a whack-a-mole. There are dozens of kinds of 'messages': live location, audio-related, all kinds of media-related, polls, etc. Every new feature is a new kind of method [for silent pinging]. So it's much harder," he says, than simply shielding users from strangers like social media platforms do."WhatsApp is great," he acknowledges. "I think its end-to-end encryption is much better than what you get, let's say, over Gmail, in which Google is reading your emails because there is no encryption. Having said that, with great power comes great responsibility. I think if only your peers or pre-approved other clients can reach you, then it changes everything. The whole environment would be much safer."Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now!Read more about:Black Hat NewsAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsCISO Survey 2026: The State of Incident Response ReadinessAI SOC for MDR: The Structural Evolution of Managed Detection and ResponseHow Enterprises Are Developing Secure ApplicationsKuppingerCole Business Application Risk Management Leadership Compass2026 CISO AI Risk ReportAccess More ResearchWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?Security in the AI AgeIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpMore WebinarsEditor's ChoiceVulnerabilities & ThreatsEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesbyRob WrightApr 14, 20268 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTSecurity in the AI AgeTues, April 28, 2026 at 1pm ESTIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpWed, May 6,2026 at 1pm ESTMore WebinarsWhite PapersHow Sunrun Transformed Security Operations with AiStrikeAutonomous Pentesting at Machine Speed, Without False PositivesBest practices for incident response planningBuilding a Robust SOC in a Post-AI WorldIndustry Report: AI, SOC, and Modernizing CybersecurityExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your SpaceDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

WhatsApp’s metadata leaks, facilitated by CTO Nate Be’ery, expose a significant vulnerability stemming from the messaging app’s design, specifically its end-to-end encryption implementation. Be’ery’s research, presented at Black Hat Asia 2026, demonstrates that attackers, ranging from sophisticated nation-state actors to simpler scammers, can leverage this leak to infer user activity—including online habits, device types, and even location—without needing to compromise the app’s encryption. The core issue lies in WhatsApp’s design, which, while providing robust data protection for message content, simultaneously reveals information about the devices registered to a user’s account. This is achieved by silently pinging recipient devices upon message delivery, exposing the operating system fingerprint of those devices. While WhatsApp acknowledged the findings and has implemented mitigations, including rate limiting and “Silence Unknown Callers,” the fundamental architecture—particularly its permissive policy regarding contact initiation—continues to create exposure. The research highlights a limitation of relying solely on end-to-end encryption and underscores the broader implications for privacy when data sharing protocols inherently expose device identifiers. It’s not merely a technical flaw, but a consequence of a product design choice prioritizing ease of use. The vulnerability expands beyond simple tracking; attackers could utilize gathered device information for targeted exploitation, adapting attacks to specific device types. WhatsApp's inherent openness, designed to encourage user interaction, unfortunately created an environment where this specific metadata leakage poses a risk. Despite ongoing efforts to counteract these risks, the fundamental architecture, as highlighted by Be’ery, remains a persistent area of concern.REFUSED