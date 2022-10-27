WhatsApp is one of the widely used messaging apps and people throughout the world rely on it to connect with their loved ones. While using the app we believe that we are safe and secure and that no one can track us due to end-to-end encryption, however, this is always not the case. Security researchers have found an alarming method that can expose the users’ location data in WhatsApp. WhatsApp is not the only messaging app that had this glitch, location data in Singal and Threema can also be exposed.

The method is not 100 percent accurate but tests proved that it has 80 percent of reliability which is a big number. The research team carried out multiple experiments and found the accuracy of location hacking for each messaging platform was different:

82% for Signal targets

80% for Threema

74% for those using WhatsApp

A team of researchers has found that it’s possible to infer the locations of users of popular instant messenger apps with an accuracy that surpasses 80% by launching a specially crafted timing attack. The trick lies in measuring the time taken for the attacker to receive the message delivery status notification on a message sent to the target. Because mobile internet networks and IM app server infrastructure have specific physical characteristics that result in standard signal pathways, these notifications have predictable delays based on the user’s position.

To make it easily understandable, if I send a message to someone, it will show an indicator of whether the message is received or not. This timing is the distance traveled by the message to reach the receiver which is quite minimal. However, the attacker can easily reach your location data by checking the logs of a packet capture application like Wireshark.

This attack can be used against specific targets and not for everyone who uses these apps. Hackers need to message users when they are in a known location and note the timings. Once they have this calibration data, they can easily find the location of a user by sending a message.

The network traffic analysis can help the attacker determine which packets are the delivered status notifications. In the apps tested by the researchers, these packets either have predetermined sizes or have identifiable structure patterns. Next, the attacker needs to classify the different locations and match them to measured “round-trip” times, and then attempt to correlate these pairs with the target’s location using the known data set.

The team said that the only solution to this issue is to introduce a system that will randomize the delivery confirmation.

However, it should be noted here that location hacking can be done by those people who know your whereabouts such as where you work when you go home, and your favorite places you visit often. Otherwise, a random person who does not know anything about you would not be able to know your location.

