This work identifies a targeted one-time prekey exhaustion vulnerability in WhatsApp’s Signal Protocol–based prekey mechanism, compromising perfect forward secrecy (PFS) for initial messages during session setup and thereby endangering user privacy and service availability. We present the first real-world, single-device targeted prekey exhaustion attack against production WhatsApp, achieved through reverse engineering, formal protocol modeling, end-to-end encryption analysis, and on-device penetration testing. Our evaluation quantifies the prekey exhaustion window and measures the latency of server-side prekey replenishment. Key contributions include: (i) uncovering an inherent privacy flaw in server-assisted key distribution—specifically, the lack of prekey usage accountability and rate limiting; (ii) empirically demonstrating PFS degradation at the granularity of the first message; and (iii) motivating a security reassessment of centralized key management in end-to-end encrypted systems, particularly regarding prekey lifecycle control and resilience against resource-exhaustion attacks.

WhatsApp, the world's largest messaging application, uses a version of the Signal protocol to provide end-to-end encryption (E2EE) with strong security guarantees, including Perfect Forward Secrecy (PFS). To ensure PFS right from the start of a new conversation -- even when the recipient is offline -- a stash of ephemeral (one-time) prekeys must be stored on a server. While the critical role of these one-time prekeys in achieving PFS has been outlined in the Signal specification, we are the first to demonstrate a targeted depletion attack against them on individual WhatsApp user devices. Our findings not only reveal an attack that can degrade PFS for certain messages, but also expose inherent privacy risks and serious availability implications arising from the refilling and distribution procedure essential for this security mechanism.