This news shakes up the world of IT security a little because a young 15-year-old security researcher highlighted a flaw in Cloudflare’s cache system which allows any user of applications like Signal or Discord to be geolocated. And the most worrying thing is that this technique even works without the victim having to click on anything!
To fully understand, let’s start with the basics. Cloudflare is a web juggernaut that hosts and accelerates a large number of sites and applications via its CDN (Content Delivery Network) network comprising hundreds of servers distributed in 330 cities across 120 countries. In fact, this is what I have been using here for my site for years.
The principle is simple: when you receive an image on Signal or Discord, it is automatically downloaded from the Cloudflare server closest to you to optimize performance. And this is where it gets interesting… By analyzing which server cached the image, we can determine your geographic area with an accuracy of around 400 km!
I know, we’re laaaarge but sometimes, it can be enough to find someone specific when we have prior suspicions. Moreover, the technique is particularly vicious because it requires no action on the part of the victim. Simply:
- Send a single image via the app
- Observe which datacenter Cloudflare is caching the image
- Deduce the approximate location of the user
The most worrying thing is that even if the person never opens the message, just receiving a push notification is enough because the app automatically downloads the image in the background. In the case of Discord, even a simple friend request can trigger this mechanism.
This vulnerability is particularly worrying for certain categories of users:
- The journalists who must protect their sources
- Activists and dissidents which risk being located
- Whistleblowers who wish to remain anonymous
The researcher also demonstrated the power of this technique by locating Discord’s CTO in San Francisco, proving that it could be used to track specific targets.
However, faced with this discovery, reactions were disappointing. Signal dismissed the issue by explaining that network anonymity was not in their mission, considering that it was up to users to use VPNs or Tor. Discord simply passed the buck to Cloudflare, calling it a “general service provider issue.”
And Cloudflare awarded a $200 bounty to the researcher and fixed the specific flaw used, but other methods remain exploitable through the use of VPNs.
While waiting for a real solution, here are some recommendations:
- Use a VPN to hide your true location
- Turn off push notifications sensitive applications
- Configure Signal/Discord to not automatically download media
- Choose Tor for truly sensitive communications
In any case, this discovery raises the question of the responsibility of technical actors: who should be responsible for protecting the privacy of users? The apps? Infrastructure providers? Both ? The users themselves?
In short, stay vigilant and keep in mind that even a simple notification could reveal your location…
Source link
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments