GoKawiilTal Be'ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn't share this information with him. All he had was my phone number.
I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he'll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn't require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp's own design choices.
Dark Reading contacted WhatsApp in the process of reporting this story. The company made no official statement but did confirm the details of Be'ery's findings and alluded to mitigations it's been working on to address the areas of his research WhatsApp deems significant.
Related:Two-Factor Authentication Breaks Free from the Desktop
Silent Pings
In 2024, Austrian researchers described a series of ways that WhatsApp users can send recipients application-layer messages that don't actually show up on the victim's device. With a custom program plugged into the WhatsApp Web protocol, one could, for instance, send a reaction to a message that doesn't exist. Nothing will happen in the recipient's app, but the sender will still be able to infer if they were active and online, based on the time it takes to get a delivery receipt in return.
Presumably, if an attacker used such a program to constantly, silently ping a recipient's device, they could paint a picture of their victim's online habits when their victim is online — their sleep or work schedule, when they might be primed to receive the right kind of phishing message, etc. — or perform a resource exhaustion attack, draining the recipient's battery slowly without their knowing why.
It's even easier to find out what kinds of devices a victim is using, thanks to a quirk in WhatsApp's flagship security feature. The app provides end-to-end encryption for all chats, to the extent that even WhatsApp itself cannot pry into your texts. To make that happen, each device registered to one's WhatsApp account has its own "fingerprint": private key material and an ID, which differ depending on the underlying operating system (OS). When a sender triggers a new chat with a recipient, behind the scenes, they receive the key material and IDs for the devices that recipient has registered with WhatsApp. Ipso facto, by merely adding a victim to one's contact list — an action that does not alert the victim in any way — an attacker can learn what kinds of devices they use WhatsApp on.
Related:Microsoft's Original Windows Secure Boot Certificate Is Expiring
"With end-to-end encryption, if someone attacks WhatsApp's servers, they cannot read your data, and even WhatsApp cannot read your data. But the flip side of this coin is that WhatsApp also cannot protect you," Be'ery explains.
... continue reading