
Security researcher Daniel, also known as hackermondev, has revealed an 0-click deanonymization attack capable of exposing user locations with pinpoint accuracy. The attack targets applications including Signal and Discord, leveraging caching mechanisms in Cloudflare’s infrastructure to infer user geolocations within a 250-mile radius—without any user interaction.
The attack exploits the caching behavior of content delivery networks (CDNs) like Cloudflare. According to Daniel, “If we can get a user’s device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, we can then enumerate all Cloudflare datacenters to identify which one cached the resource.”
When an app like Signal or Discord automatically downloads a cached file, such as a profile picture or an attachment, the resource is stored in the nearest Cloudflare datacenter. Using tools like the Cloudflare Teleport proxy, an attacker can determine the specific datacenter used, thus approximating the user’s location.
Daniel demonstrated the attack on Signal, a platform widely trusted by journalists and activists. By sending an attachment via Signal’s CDN, he was able to determine which datacenter cached the resource. “In my case, I’m in New York, and one of the closest datacenters to me is Newark, NJ (EWR), which is about 150 miles from my actual coordinates,” he wrote.
Discord, another popular application, was found equally vulnerable. Daniel described how the attack could be executed through custom emojis or friend request notifications. When a friend request notification is sent, it includes the sender’s avatar URL. The recipient’s device downloads this image automatically, triggering the cache geolocation attack.
Cloudflare patched the specific bug in its network that allowed for easy datacenter traversal. However, Daniel discovered alternative methods to bypass the fix, including using VPNs. “Using this new method, I’m able to reach about 54% of all Cloudflare datacenters again,” he stated.
Despite disclosure to affected platforms like Signal and Discord, responses were underwhelming. Signal dismissed the issue, claiming, “it was up to users to hide their identity.” Similarly, Discord pointed to Cloudflare’s responsibility to mitigate such attacks.
Cloudflare, while patching the Teleport bug, deflected responsibility, stating, “It is up to [our customers] to disable caching for resources they wish to protect.”
The attack poses a significant threat to individuals in sensitive roles, including journalists, activists, and whistleblowers. Daniel emphasized, “This attack can be used to track Signal accounts, correlate identities, find employees meeting with journalists and much more.”
Related Posts:
- Tietoevry Faces Service Disruptions Following Ransomware Attack in Sweden
- $50,000 Bounty: Researcher Reveals Critical Zendesk Email Spoofing Flaw (CVE-2024-49193)
- Signal Desktop Application Exists Code Injection Vulnerability
- Downfall vulnerability affects Intel processors