Summary of "The REAL reason end-to-end encryption is "allowed" (UNPATCHED)"

Privacy Vulnerability in End-to-End Encrypted Messaging Apps

The video explores a significant and largely unknown privacy vulnerability affecting popular end-to-end encrypted messaging apps like WhatsApp and Signal. Despite their encryption protecting message content, these apps leak extensive metadata through a side channel involving delivery receipts. This enables adversaries to build detailed user profiles using only a phone number.

Key Technological Concepts and Features

End-to-End Encryption Basics

Messages are encrypted on the sender’s device and decrypted only on the recipient’s device, preventing servers or intermediaries from reading message contents. WhatsApp and Signal use this model, with Signal focusing heavily on privacy.

Multi-Device Support Approaches

Leader-based: One device manages encryption keys; others sync through it (used by WhatsApp until 2021).
Client Fanout: Each device has its own encryption keys; messages are separately encrypted and sent to each device (currently used by WhatsApp and Signal).

Delivery Receipts

There are three types of delivery receipts: - Sent: Single check mark - Delivered: Double check mark (mandatory and cannot be disabled) - Read: Colored double check mark

The delivered receipt acts as a control flow mechanism for encryption.

Privacy Vulnerabilities and Side Channel Exploits

Device Enumeration and Monitoring: Attackers can probe delivery receipts to determine how many devices a user has, when new devices are added, and which device is used for messaging.
Silent Probing via Malformed Messages: Malformed or invisible message reactions can trigger delivery receipts without notifying the user, allowing continuous, covert monitoring of a device’s online status.
Timing Side Channel (Round Trip Time - RTT): Measuring the time between sending a malformed message and receiving a delivery receipt reveals the phone’s state: locked, unlocked but app in background, or app open in foreground. This enables detailed tracking of user activity and habits.
Device Fingerprinting: Different devices respond with distinguishable timing patterns, allowing attackers to identify the victim’s phone model or manufacturer.
Additional Metadata Leaks: Long-term monitoring can reveal when a device switches between Wi-Fi and cellular data, when phone calls occur, and correlate communication patterns to build social graphs.
Resource Exhaustion Attack: Sending large message reactions (up to 1000 characters) can cause excessive data usage (up to 13 GB/hour) and battery drain (~18% per hour) on victim devices.

Impact and Real-World Testing

Researchers tested these exploits on real devices over extended periods, confirming the severity and practicality of the attacks.
The leaked information could facilitate targeted law enforcement actions (e.g., timing raids when a phone is unlocked), civilian stalking, and broader surveillance.

Response from WhatsApp and Signal

Researchers reported the vulnerabilities on September 5, 2024.
WhatsApp responded internally and introduced a non-default setting to block high volumes of messages from unknown accounts, but details and effectiveness remain unclear.
Signal has not publicly responded or patched the issue.
Both apps continue to leave this side channel unpatched as of mid-2025.

Suggested Fixes and Mitigations

Implement stricter rate limiting on delivery receipt responses.
Standardize app behavior across platforms to reduce information leakage.
Randomize delivery receipt timings to mitigate timing side channels.
Add client-side validation to reject malformed messages.
Restrict or disable background app activity (though current OS-level options are insufficient).
Use privacy features like Signal’s “invisible” mode from account creation to reduce exposure.

Limitations and User Workarounds

Disabling background app activity is unreliable on stock Android.
Fully disabling the app or switching profiles (e.g., in Graphine OS) helps but is inconvenient and still vulnerable when the app is active.
New Signal privacy features do not apply retroactively, leaving existing users exposed.

Main Speakers / Sources

The video is presented by a technology/security content creator who references a security research paper titled Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers.
The findings are based on original security research conducted by unnamed researchers who responsibly disclosed the vulnerabilities to WhatsApp and Signal.

Summary: This video reveals a critical, unpatched privacy flaw in WhatsApp and Signal where mandatory delivery receipts and message reaction mechanics leak detailed metadata through timing side channels. This allows adversaries to profile users’ device usage, habits, and social connections using only their phone number—without malware or user interaction. Despite responsible disclosure, the vulnerability remains largely unaddressed, posing serious risks to user privacy and security.