A cybersecurity expert has discovered a vulnerability in Cloudflare's content delivery network (CDN) that allows attackers to determine a user's general location by sending an image over platforms like Signal and Discord.
While the level of accuracy is not enough to track a detailed location, the information collected can still reveal the geographic area where the user lives and track the basic movements of the victim.
This finding is of particular concern to groups that require a high level of confidentiality, such as journalists, activists, or cybercriminals. At the same time, it can also become a useful support tool for law enforcement agencies, helping to identify the country or region of a suspect.
The silent "zero-click" attack
Three months ago, security researcher Daniel discovered that Cloudflare cached media resources in the data center closest to users to speed up loading.“I discovered a zero-click attack that allowed an attacker to determine the location of any target within a 250-mile radius without them knowing,” Daniel said.
Calculating response time
Source: hackermondev | GitHub
With a targeted app installed on a phone or computer, an attacker could send a malicious image hosted on the Cloudflare CDN. They would exploit a vulnerability in Cloudflare Workers, which uses a custom tool called “Cloudflare Teleport” to route requests through specific data centers.
By counting the number of responses from different data centers, the attacker could determine the victim’s general location based on the airport code closest to the data center. Since apps like Signal and Discord automatically load images for notifications, the user doesn’t need to take any action to be tracked, making this a “zero-click” attack.
Scope of influence and response from platforms
Tracking accuracy ranges from 50 to 300 miles, depending on the location and number of Cloudflare data centers in the area. Accuracy is higher in large cities than in rural areas.In one test, Daniel found that Cloudflare uses anycast routing, which improves accuracy in areas with multiple data centers nearby.
Locate the target
Source: hackermondev | GitHub
The researcher reported the vulnerability to Cloudflare, Signal, and Discord. Cloudflare quickly patched it and awarded $200 through its bug bounty program. However, Signal and Discord considered it a Cloudflare-related issue and not their responsibility.
Although Cloudflare patched the Workers vulnerability, Daniel pointed out that using a VPN in conjunction with Teleport would still allow attacks.
According to BleepingCompute
No comments: