Cloudflare Issue Can Leak Chat App Users' Broad Location
Cloudflare Issue Can Leak Chat App Users' Broad Location
A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user might be in.
cross-posted from: https://lemmy.ca/post/37638868 [email protected]
This affects Signal too
An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117?ref=404media.co
Signal, an open-source encrypted messaging service, is widely used by journalists and activists for its privacy features. Internally, the app utilizes two CDNs for serving content: cdn.signal.org (powered by CloudFront) for profile avatars and cdn2.signal.org (powered by Cloudflare) for message attachments.
i think this would be true of basically any large service that had multiple data centers. whichever one catches your data is the one closest to you.
the difficulty is accessing that data even if you can't read it you still have the closest location.
sounds to me like the Internet working as intended. if you want true privacy you need to take extra steps
Agreed. Privacy is always a balance between your threat model and useability. If your general location is enough to put you in danger, hopefully you're already aware of how your data is being sent over the various networks and have measures in place to stay safe.
For most people, knowing very generally where they are isn't especially useful information to anyone with an interest in surveillance.
Not even guaranteed to be the closest data center. It’s not completely out of the ordinary for there to be a faster route available to a data center farther away.
true, true
On the one hand, deanonimization attacks are never entirely avoidable on unhardened targets and this one isn't particularly sophisticated and leaks relatively little information.
On the other hand deanonimization attacks are always bad and it's a good reminder to people of the risks they are taking. This is also slightly non-obvious behavior, even if it makes sense to the technically competent, as something like an IP grabber normally requires user interaction such as clicking a link. It's also a vector that CF might be able to mitigate by patching the ability to query a given cache directly.
they should be able to patch that as long as nothing relies on it working as is
I don't want to be a contrairian, but your cellphone carrier does this non stop. Cloudflare is not a good company, but this is the least of your problems.
Another reason why Cloudflare sucks.
oh no, now they nkow I'm in the US North East, assuming I'm not using a VPN...
Another reason to not use Cloudflare. Not that long ago they also "lost the log records" (this incident happened on November 14, 2024). I strongly believe the internet can become better without Cloudflare, especially now basically the whole world is depending on it.
It is impossible to use most of corpo internet if you block cloudflare. Shit is wild.
Not sure who is down voting you lol
I wish people would respond with a rebuttal so we can move convo forward.
Sorry to see so many people still down vote me. What is wrong with you? The internet has become a joke. Moving all to cloudflare will only make the problem worse.
You don't need a VPN mate...
It ain't a solution but surely would help here