TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security North Korea Uses ClickFix to Target macOS Users' Data North Korea Uses ClickFix to Target macOS Users' Data by Alexander Culafi Apr 16, 2026 3 Min Read Application Security Critical MCP Integration Flaw Puts NGINX at Risk Critical MCP Integration Flaw Puts NGINX at Risk by Jai Vijayan Apr 15, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Endpoint Security Mobile Security Vulnerabilities & Threats Cyber Risk News WhatsApp Leaks User Metadata to Attackers Strangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity. Nate Nelson , Contributing Writer April 20, 2026 7 Min Read Source: stLegat via Alamy Stock Photo Tal Be'ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn't share this information with him. All he had was my phone number. I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he'll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn't require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp's own design choices. Dark Reading contacted WhatsApp in the process of reporting this story. The company made no official statement but did confirm the details of Be'ery's findings and alluded to mitigations it's been working on to address the areas of his research WhatsApp deems significant. Related: Two-Factor Authentication Breaks Free from the Desktop Silent Pings In 2024, Austrian researchers described a series of ways that WhatsApp users can send recipients application-layer messages that don't actually show up on the victim's device. With a custom program plugged into the WhatsApp Web protocol, one could, for instance, send a reaction to a message that doesn't exist. Nothing will happen in the recipient's app, but the sender will still be able to infer if they were active and online, based on the time it takes to get a delivery receipt in return. Presumably, if an attacker used such a program to constantly, silently ping a recipient's device, they could paint a picture of their victim's online habits when their victim is online — their sleep or work schedule, when they might be primed to receive the right kind of phishing message, etc. — or perform a resource exhaustion attack, draining the recipient's battery slowly without their knowing why. It's even easier to find out what kinds of devices a victim is using, thanks to a quirk in WhatsApp's flagship security feature. The app provides end-to-end encryption for all chats, to the extent that even WhatsApp itself cannot pry into your texts. To make that happen, each device registered to one's WhatsApp account has its own "fingerprint": private key material and an ID, which differ depending on the underlying operating system (OS). When a sender triggers a new chat with a recipient, behind the scenes, they receive the key material and IDs for the devices that recipient has registered with WhatsApp. Ipso facto, by merely adding a victim to one's contact list — an action that does not alert the victim in any way — an attacker can learn what kinds of devices they use WhatsApp on. Related: Microsoft's Original Windows Secure Boot Certificate Is Expiring "With end-to-end encryption , if someone attacks WhatsApp's servers, they cannot read your data, and even WhatsApp cannot read your data. But the flip side of this coin is that WhatsApp also cannot protect you," Be'ery explains. Device information might not sound interesting, and WhatsApp isn't the only messaging system that leaks it. Apple's iMessage does so much more visibly, in fact, via its famous blue and green text bubbles. Be'ery's security report on this subject did not meet WhatsApp's threshold for generating a CVE, but the researcher argues that device fingerprinting is useful to bad actors. At the benign end of the spectrum, companies could use that kind of information to perform surveillance pricing. "You're a potential customer, and I need to know what price to suggest to you. So I have a tell. Maybe you're willing to pay more because you're an iPhone user, and you also have an iPad, and not cheaper Android-based devices." Related: Orange Business Reimagines Enterprise Voice Communications With Trust and AI In the shady world of spyware , powerful threat actors need to ultra-tailor their attacks to specific operating systems. Armed with this knowledge, nation-states can purchase and deploy tools tailored to their specific targets' devices. In his experiments on me, Be'ery went one step further: He sent a message to my desktop, which never arrived on the other devices on which I have WhatsApp installed. "A properly implemented client would have sent it to all three of the devices. But with a rogue client, then I can send to just one, and if I had a Web exploit, then I would send it to just that device," he explains. WhatsApp's Core Problem If an unrecognized number has ever sent you a WhatsApp message simply saying "Hi" without elaborating, or added you to a huge group chat about cryptocurrencies, you'll know that there's nothing standing in between you and the bad actors of the world on Meta's chat app. Any WhatsApp user can message any of its other 3.5 billion users, so long as the sender knows — or guesses — the right phone number. "From a product perspective, of course it makes a lot of sense," Be'ery acknowledges. "Initially, when you're a small company, before you build your network effect, you don't want to have any friction. You want people to talk to each other." Even compared to other social apps, though, it's highly permissive. "On social networks like LinkedIn or Facebook , I can only get messages from people within my contacts list. And there is a way like a minimal interface for requesting to connect, which cannot contain all kinds of weird data. So it's much more limited, and this creates a much lesser attack surface," Be'ery explains. WhatsApp's open policy about who can contact whom is what enables Be'ery to track this reporter's online habits, pig butchers to frictionlessly reach your parents, and governments to attack dissidents and journalists with 0-click spyware. Although in the latter case, targets who know they're targets can enable WhatsApp's new "Strict Account Settings" feature, at some cost to their user experience. Does WhatsApp Need To Be Fixed? Thus far, Meta hasn't been interested in changing such a fundamental feature of its application logic, for such reasons as Be'ery suggests. Instead it's been working around the problem with features like "Silence Unknown Callers," rate limiting, and more microscopic fixes. Right around the beginning of the year, for instance, Be'ery noticed that the means by which he could fingerprint Android devices running WhatsApp no longer worked. Because iPhones still leak sufficient metadata, and there isn't a third major mobile OS, the outcome is moot for now. In general, partly in response to Be'ery's research, the developers have quietly been eliminating some means of sending silent pings. Be'ery takes issue with this approach. "They're going message type by message type. It's a bit of a whack-a-mole. There are dozens of kinds of 'messages': live location, audio-related, all kinds of media-related, polls, etc. Every new feature is a new kind of method [for silent pinging]. So it's much harder," he says, than simply shielding users from strangers like social media platforms do. " WhatsApp is great," he acknowledges. "I think its end-to-end encryption is much better than what you get, let's say, over Gmail, in which Google is reading your emails because there is no encryption. Having said that, with great power comes great responsibility. I think if only your peers or pre-approved other clients can reach you, then it changes everything. The whole environment would be much safer." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why , where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! Read more about: Black Hat News About the Author Nate Nelson Co