A recent discovery by a 15-year-old security researcher named Daniel revealed a critical flaw in the widely used Cloudflare content delivery network (CDN) that could potentially expose someone’s location without their knowledge. The vulnerability, which was uncovered three months ago by Daniel and shared on GitHub Gist, poses a serious risk to journalists, activists, and hackers who rely on anonymity to protect themselves.
According to Daniel’s research, the flaw in Cloudflare’s CDN allows an attacker to pinpoint the location of a target within a 250-mile radius by sending a malicious payload disguised as an image through vulnerable applications like Signal and Discord. By utilizing either a one-click or zero-click approach, the attacker can exploit the cache geolocation method and deanonymize the target within seconds.
The root of this vulnerability lies in Cloudflare’s caching feature, which stores copies of frequently accessed content in its data centers to enhance website performance. When a user’s device requests a resource that can be cached, Cloudflare retrieves the content from its local storage and caches it, allowing attackers to identify the specific data center that cached the resource and determine the user’s location accurately.
Although Daniel encountered obstacles in executing this attack flow initially, he eventually discovered a workaround that enables attackers to send requests to specific Cloudflare data centers using Cloudflare Workers. By developing a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers, Daniel successfully redirected HTTP requests to targeted data centers, further exploiting the flaw.
Daniel demonstrated the exploit by sending location-revealing images via Signal and Discord, showcasing the ease with which attackers can compromise a target’s privacy. In Signal, a one-click attack leverages cached geolocation to reveal the recipient’s location, while a zero-click attack exploits push notifications in the app, permitting location tracking without user interaction.
Similarly, Discord users are susceptible to the flaw through a custom emoji loaded from Discord’s CDN and cached on Cloudflare. By embedding a malicious emoji in their user status, an attacker can trigger a deanonymization attack when the target views their profile, highlighting the critical impact of this vulnerability across various platforms.
Upon reporting the bug to Signal, Discord, and Cloudflare, Daniel received mixed responses in terms of mitigation efforts. While Cloudflare addressed the Cloudflare Workers bug and rewarded Daniel with a bug bounty, Signal and Discord failed to take immediate action to mitigate the issue fully, shifting responsibility between companies.
Despite Cloudflare’s efforts to patch the vulnerability, Daniel found a workaround using a VPN provider with a broad server network, compromising over half of Cloudflare data centers once more. As a result, any application utilizing a CDN for content delivery and caching remains vulnerable to location tracking, emphasizing the need for improved security measures.
In light of the potential risks posed by this flaw, privacy-conscious individuals are advised to limit their exposure on affected apps to safeguard their location data effectively. Roger Grimes, a data-driven defense evangelist, warns that similar vulnerabilities may exist in other CDNs, underscoring the importance of proactive security measures in the face of evolving threats.