Photo by Michael Vi / Shutterstock.com
An issue with popular CDN provider Cloudflare allows an attacker to trace the origins of images sent over chat apps like Discord, Signal, X, and more to determine the city or state from which a message originated. The attack doesn’t necessarily require target participation either, as in some cases, an attacker can send an image to the target to trace their location.
The attack was discovered by a 15-year-old high school junior named Daniel (moniker hackermondev). In a GitHub writeup, Daniel explains that two primary attacks can exploit this vulnerability, one requiring the target to open their messaging app and chat (and hereby send read receipts), and the other is a zero-click attack vector that works as long as the target gets a notification on their phone.
The underlying issue allowing these attacks lies in Cloudflare’s caching systems. To speed up web pages, Cloudflare systems often cache media items like images and serve them to the user through the data centre nearest to the specific user’s location. With hundreds of data centres in 330 cities across more than 120 countries, most internet users have a Cloudflare data centre within 250 miles of them.

Usually, Cloudflare blocks access to out-of-reach data centres and all TCP connections to their network are always handled by the data centre nearest to a particular user. However, these restrictions can be bypassed using an IP range used by Cloudflare WARP, the company’s VPN client.
Once the attacker gains the ability to ping Cloudflare data centres on demand, it can check which data centre cached a particular asset and, hence, get a rough handle on the target’s location. In his real-world demonstrations, hackermondev shows both a 1-click attack and zero-click attack on Signal and Discord, where he’s able to find the nearest Cloudflare data centre that cached an image he sent to a target on both apps and, hence, find an estimate on their physical location.
Another researcher reported this vulnerability to Cloudflare, but the CDN provider didn’t act until these attacks were reported. The company has since patched the issue and offered both reports a $200 bug bounty. However, the core issue remains, and every attack shown in Hackermondev’s writeup was carried out after the patches were issued.
Cloudflare’s final stance on the situation is that they don’t consider this deanonymisation a vulnerability in their systems, and it’s up to their users to disable caching for any resources they want to protect. On the flip side, Signal and Discord dismissed the vulnerability as an issue on Cloudflare’s end.
Cloudflare recently stopped a 5.6 Tbps DDoS attack, the largest ever recorded in history. The Mira botnet attacked with over 13,000 compromised devices, targeting an East Asian ISP. According to Cloudflare, its systems didn’t even raise any alarms as all detection and mitigation efforts were fully autonomous.
In the News: Hackers leverage Microsoft Office 365 to deploy ransomware, steal data