A security researcher discovered a flaw in Cloudflare’s content delivery network (CDN), which could expose a person’s general location by simply sending them an image on platforms like Signal and Discord.
While the geo-locating capability of the attack is not precise enough for street-level tracking, it can provide enough data to infer what geographic region a person lives in and monitor their movements.
Daniel’s finding is particularly concerning for people who are highly concerned about their privacy, like journalists, activists, dissidents, and even cybercriminals.
However, for law enforcement, this flaw could be a boon to investigations, allowing them to learn more about the country or state where a suspect may be located.
Stealthy 0-click tracking
Three months ago, a security researcher named Daniel discovered that Cloudflare caches media resources at the data center nearest to the user to improve load times.
“3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius,” explained Daniel.
“With a vulnerable app installed on a target’s phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds–and you wouldn’t even know.
To conduct the information-disclosure attack, the researcher would send a message to someone with a unique image, whether that be a screenshot or even a profile avatar, hosted on Cloudflare’s CDN.
Next, he leveraged a bug in Cloudflare Workers that allows forcing requests through specific data centers using a custom tool called Cloudflare Teleport.
This arbitrary routing is normally disallowed by Cloudflare’s default security restrictions, which dictate that each request is routed from the nearest data center.
By enumerating cached responses from different Cloudflare data centers for the sent image, the researcher could map the general location of users based on the CDN returning the closest airport code near their data center.
Source: hackermondev | GitHub
Additionally, since many apps automatically download images for push notifications, including Signal and Discord, an attacker can track a target without user interaction, making this a zero-click attack.
The tracking accuracy ranges between 50 and 300 miles, depending on the region and how many Cloudflare datacenters are nearby. Precision around major cities should be better than in rural or less populated areas.
While experimenting with geo-locating Discord’s CTO, Stanislav Vishnevskiy, the researcher found that Cloudflare uses anycast routing with multiple nearby data centers handling a request for better load balancing, allowing even better accuracy.
Source: hackermondev | GitHub
Response from affected platforms
As first reported by 404 Media, the researcher disclosed his findings to Cloudflare, Signal, and Discord, and the former marked it as resolved and awarded him a $200 bounty.
Daniel confirmed that the Workers bug was patched, but by reprogramming Teleport to use a VPN to test different CDN locations, the geo-locating attacks are still possible, if a bit more cumbersome now.
“I chose a VPN provider with over 3,000 servers located in various locations across 31 different countries worldwide,” explains the researcher in his writeup.
“Using this new method, I’m able to reach about 54% of all Cloudflare datacenters again. While this doesn’t sound like a lot, this covers most places in the world with significant population.”
Responding to a subsequent request, Cloudflare told the researcher that it is ultimately the users’ responsibility to disable caching.
Discord rejected the report as a Cloudflare issue, as did Signal, noting that it’s outside their mission’s scope to implement network-layer anonymity features.
BleepingComputer has reached out to Signal, Discord, and Cloudflare for a comment on the researcher’s findings, but we are still waiting for their responses.
