A significant privacy vulnerability exists in the device identification mechanism, allowing attackers to exploit this vulnerability to obtain the fingerprint of the user's device operating system through the end-to-end encryption () protocol.

Security researcher ' found that these vulnerabilities leak user device information, aiding attackers in reconnaissance. Privacy issues stem from the multi-device protocol, which is based on the sesame protocol. In this multi-device setup, the sender must establish a secure session with each of the receiver's devices. However, this design inadvertently leaks detailed information about the receiver's devices, such as how many devices they are using, whether the devices are mobile or desktop, and the long-term identifiers of each device. These identifiers allow for persistent tracking of devices, even if the user blocks another device on the platform.

Although these information leaks are problematic in themselves, the study found that attackers can also infer more specific details, such as the operating system used by each device. This provides attackers with more targeted avenues to exploit operating system-specific vulnerabilities. For example, attackers can identify whether the victim is using a 、、 or device, and use this information to tailor attacks, targeting the most vulnerable devices.

Message Structure Belonging to, with over billion active users worldwide, these privacy issues could have widespread implications. The issue was first discovered earlier this year, and recent findings indicate that the problem is more severe than initially thought. By examining features such as the "view once media" function and message structure, it was possible to refine the analysis, revealing that messages contained OS-specific identifiers. This means that attackers could not only determine the device type but also the operating system in use, such as distinguishing between and or and desktop.

Acquire Devices The impact of these vulnerabilities is not particularly severe, but attackers can still exploit them as part of a complex attack chain to identify and exploit the weakest links in the victim's device ecosystem. Even non-technical attackers, such as individuals involved in domestic espionage, can use these data breaches to gain a deeper understanding of the victim's device settings.

The issue was disclosed to [Recipient] on [Date], but only received a partial response. [Recipient]'s security team acknowledged the report but has not yet released a comprehensive fix. Given that the [Vulnerability] is being widely exploited through tools like the [Extension], [Discloser] decided to publish his findings after [Recipient] remained silent for a month. Researchers believe that resolving this issue could be straightforward, requiring only the standardization of message [Generation] across platforms to eliminate fingerprinting vectors.

For users concerned about these vulnerabilities, there are steps you can take to protect yourself: be mindful of the number of devices linked to your account, especially desktop clients. If possible, consider limiting the use of or desktop applications. Monitor any unusual activity on your account, such as messages marked as read on devices you don't use.

Commenting on the report, a spokesperson sent us the following comment: "We appreciate the researchers' submission. We remain focused on protecting our users from various attacks while ensuring that we can continue to operate the services used by over a billion people worldwide." – Spokesperson.