Full Report
Tal Be’ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn’t share this information with him. All he had was my phone number. I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief…
Analysis Summary
# Vulnerability: WhatsApp Metadata Leak and User Tracking
## CVE Details
- **CVE ID:** Not yet assigned (as of April 2026 reporting).
- **CVSS Score:** N/A (Privacy-focused design flaw).
- **CWE:** CWE-200: Information Exposure.
## Affected Systems
- **Products:** WhatsApp Messenger.
- **Versions:** All current versions as of April 21, 2026.
- **Configurations:** Default settings; affects users whose phone numbers are known to the attacker.
## Vulnerability Description
The flaw is not a traditional software bug (zero-day) but rather an architectural design choice regarding how WhatsApp handles and synchronizes metadata. By using a custom-built program designed to interface with WhatsApp’s legitimate communication protocols, an attacker can silently monitor a user's presence. The "thin layer of metadata" leaked during protocol handshakes allows a remote party to determine:
1. **Online Status:** Real-time tracking of when a user is active.
2. **Device Information:** Details regarding the type of hardware/platform being used by the target.
## Exploitation
- **Status:** PoC available (Demonstrated by Tal Be’ery at Black Hat Asia 2026); potentially exploited in the wild by APTs and scammers.
- **Complexity:** Medium (Requires custom scripts/software to interface with WhatsApp protocols).
- **Attack Vector:** Network (Remote via phone number).
## Impact
- **Confidentiality:** High (Leakage of behavioral patterns, online habits, and hardware details).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
- No specific patch version released as of the report date; however, WhatsApp has confirmed they are working on mitigations for specific research areas identified by Be'ery.
### Workarounds
- **Privacy Settings:** Users should restrict "Last Seen and Online" status to "Nobody" or "My Contacts" within the WhatsApp Privacy menu.
- **Contact Management:** Avoid sharing phone numbers publicly, as the phone number is the primary identifier needed for this metadata harvesting.
## Detection
- **Indicators of Compromise:** Extremely difficult to detect, as the exploitation leverages WhatsApp’s own design and does not require a message to be sent to the victim.
- **Detection Methods:** Users currently have no native way to know if their metadata is being harvested by a "jerry-rigged" program monitoring their status.
## References
- Black Hat Asia 2026: Tal Be’ery - WhatsApp Metadata Research.
- hxxps[://]threatbeat[.]com/project/whatsapp-leaks-user-metadata-to-attackers/
- hxxps[://]www[.]darkreading[.]com/ (Original source cited by Threat Beat)