Best Paper Award @ RAID 2025

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

November 14, 2025

Researchers from SBA Research, the Security and Privacy Research Group at the University of Vienna and the UniVie Doctoral School Computer Science, have been honored with the Best Paper Award at the 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2025).

Their winning paper, titled Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers, was authored by Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, and Johanna Ullrich.

Congratulations to the authors on this outstanding recognition!

Abstract

With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users. We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent. By using this technique at high frequency, we demonstrate how an attacker could extract private information such as the online and activity status of a victim, e.g., screen on/off. Moreover, we can infer the number of currently active user devices and their operating system, as well as launch resource exhaustion attacks, such as draining a user’s battery or data allowance, all without generating any notification on the target side. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal) and the fact that any user can be targeted simply by knowing their phone number, we argue for a design change to address this issue.

Links

Research Paper:
Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers
Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp’s Handshake Mechanism

RAID 2025

News