A group of researchers from different countries has found out that the location of users can be tracked using the most common feature in messengers, which guarantee the privacy of users.
Phone messengers, such as WhatsApp, use notifications that inform the sender that the message has reached the recipient. However, this useful and important feature makes the privacy of a user's location vulnerable. To demonstrate this, researchers studied three messengers considered trustworthy: Signal, WhatsApp and Threema.
The study shows that messages sent in different directions from these three messengers reach their recipients at different but distinguishable times, and depending on the distance between sender and recipient, the messenger they use and the means of communication can be detected, with a probability of up to 80 percent of the sender's location. Moreover, the problem is easily solved if messengers artificially prolong the sending of an email arrival notification.
This security gap is important for several reasons. First, all three messengers are considered secure because they use an end-to-end encryption system, but the user is not told that this system is highly likely to reveal their location.
It should be noted that only users on the recipient's contact list can have access to this information. This seems to reduce the risk, but given the wide range of contacts in today's reality, the risk of becoming a victim of miscreants increases. In addition, in messengers, there is no way for a user to stop receiving a message from a contact in his contact list, other than to block him permanently and thus stop communicating with him digitally at all.
Getting confidential information about someone by sending them just a few emails is also problematic because the process is simple and non-suspicious.
In the study, emails were sent between two phones in the same country, the same city and between two phones in different countries using a Wi-Fi connection, a regular Internet connection, a VPN and Tor*, first knowing the exact location of the recipient and calculating the speed of receipt of the email, then doing the same with a changed and previously unknown recipient address. According to the study, recipient location accuracy is up to 82% for Signal, up to 80% for Threema and up to 74% for WhatsApp.
* Virtual private network - used for masking, changing IP address and equipment location.
** Tor network - unlike VPN, which changes the IP address, Tor hides it completely.