Blocking or allowing domains should not mess up SSL. Is there anything else filtering or intercepting the trafic ?

I believe Signal has already fixed it, while meta said they won’t fix this in WhatsApp.

This side channel can be used to infer more than a rough timezone, specifically, an attacker could continuously monitor :

• the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
• the locked or unlocked state of the target’s phone
• whether the phone is connected via Wi-Fi or a mobile network
• whether the WhatsApp application or browser tab is running in the foreground or background.

In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance

I’ve tested this on myself and can confirm all of this can be done reliably

https://lemmy.pierre-couy.fr/comment/2733652

This is not high effort. Starting from an open source WhatsApp client library, reproducing the attacks described in the research paper is trivial. There are even a few public github repos implementing PoCs of this.

Whether the reward should be considered high or low is ultimately subjective. What is objectively verifiable, however, is that an attacker can continuously (and silently) monitor several aspects of a target’s environment, including:

• the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
• the locked or unlocked state of the target’s phone
• whether the phone is connected via Wi-Fi or a mobile network
• whether the WhatsApp application or browser tab is running in the foreground or background.

In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance.

This would have been a (if not the only) good point to make in the article considering the title. But I guess this would have taken space away from ads

The headline is vert clickbaity : it does not affect VPN users (the law forbids age-gated websites from promoting VPNs as a circumvention), and the whole article is just an ad for VPNs