A security researcher has uncovered a vulnerability in Cloudflare’s content delivery network (CDN) that could reveal a user’s approximate location simply by sending them an image on platforms like Signal or Discord.
This flaw, while not accurate enough for pinpointing exact addresses, can narrow down a person’s location to a region or city and track their movements.
The researcher, identified as Daniel, revealed the flaw three months ago, describing it as a “0-click deanonymization attack.” Cloudflare’s CDN optimizes load times by caching media files at the closest data center to the user. By exploiting this behavior, Daniel developed a method to determine a target’s location within a radius of 50 to 300 miles.
The attack involves sending a unique image hosted on Cloudflare’s CDN to a target. By leveraging a bug in Cloudflare Workers and a custom tool called Cloudflare Teleport, Daniel forced the request through specific data centers. The returned airport codes or response times from these centers provided clues about the user’s location.
Notably, apps like Signal and Discord, which automatically download images for notifications, are particularly vulnerable. This enables tracking without requiring any interaction from the target, making it a zero-click exploit.
Platform Responses and Mitigation
Cloudflare acknowledged the vulnerability and patched the Workers bug, awarding the researcher a $200 bounty. However, Daniel demonstrated that a modified approach using a VPN to manipulate CDN routing still makes the attack feasible, albeit with reduced effectiveness.
Discord and Signal dismissed the vulnerability as outside their scope, attributing the issue to Cloudflare. Discord noted that it relies on Cloudflare’s caching infrastructure, while Signal stated it does not aim to provide network-layer anonymity.
