Cloudflare Vulnerability Exposed Locations of Discord, Signal, and X Users

By Ava McKinneyOnline Safety

Cloudflare Vulnerability Exposed Locations of Discord, Signal, and X Users

The publication 404 Media has reported a vulnerability in Cloudflare that allowed attackers to determine which company data center was used to cache a particular image. As a result, a malicious actor could roughly identify the location of users of Signal, Discord, X (formerly Twitter), and other apps. In practice, an attacker only needed to send any image to the target, and the victim didn’t even have to click on the picture for the attack to work.

The report notes that this method only reveals approximate location data: in 404 Media’s tests, the attack could show the city or state where a person was located, but not more precise information. However, the attack still posed a threat to users.

“Most likely, this is a bug in the mobile app’s operation, not a vulnerability in the code itself, but I still think it needs to be fixed,” said independent security researcher Daniel, who discovered the issue, in an interview with the publication.

He emphasized that Cloudflare developers have already fixed the bug that his custom tool exploited.

How the Attack Worked

The problem was related to Cloudflare’s Content Delivery Network (CDN), which caches content on many distributed servers and then delivers it to users based on their location. For example, if a user is in San Francisco, Cloudflare’s CDN uses the nearest part of its network to speed up content delivery. Cloudflare claims its data centers are located in over 330 cities across 120 countries, and many apps use the company’s CDN to deliver content.

It turned out that this setup allowed outsiders to determine which part of Cloudflare’s CDN was used to deliver an image, and from that, infer the recipient’s location.

“Cloudflare splits its cache by data center, and attackers can easily match the cache and triangulate users’ locations,” Daniel explained. “Each Cloudflare data center has its own local cache storage for faster content delivery, so you can check each data center to see where the content was cached.”

To carry out the attack, Daniel sent an image to the target via a messenger or other app. He then used Burp Suite to intercept the URL of the uploaded image. Next, he used his custom tool, called Cloudflare Teleport, to send requests to every Cloudflare data center to find out which one had cached the request.

Cloudflare Teleport’s requests would return either “HIT” or “MISS.” If it was a “HIT,” the researcher would know which data center was near the target, allowing him to determine their approximate location.

Real-World Testing and Responses

Journalists asked Daniel to demonstrate the attack in practice and were able to determine the locations of several Signal users (with their consent). In some cases, the attack required opening a chat, but in others, a push notification could load the image, and the victim didn’t even need to open the app.

In his report, Daniel noted that he also tested the issue in Discord and X, confirming it worked there as well.

The researcher said he notified Cloudflare, Signal, and Discord developers about the problem last year. Cloudflare representatives assured 404 Media that the company has already fixed the bug.

Discord provided a statement from Kevin Hanaford, Head of Security at Discord:

“We are aware of this incident and have determined that it is an issue with a service provider. We immediately notified the provider of the problem, and they are now working to resolve it.”

Representatives from Signal and X did not respond to journalists’ requests, but Daniel shared Signal’s response to his original bug report:

“What you describe (observing cache hits and misses) is characteristic of how CDNs work. Using a CDN in Signal is neither unique nor concerning, and it does not affect end-to-end encryption. CDNs are used by all popular apps and websites on the internet, and they are necessary to ensure high performance and reliability for a global audience.

There is a large body of research on this topic, but if someone needs to completely hide their location online (especially at the coarse level shown in your example), a VPN is absolutely necessary. This functionality is outside the scope of Signal. Signal protects the privacy of your messages and calls, but it has never tried to replicate the set of network-level anonymity features provided by projects like Wireguard, Tor, and other open-source VPN solutions.”

Current Status

Cloudflare Teleport no longer works, as Cloudflare has fixed the bug Daniel used. However, according to the researcher, it is still possible to carry out a similar attack, though it is now “a bit more complicated.” Instead of his tool, he now uses a VPN to route traffic to different locations and then sends requests to Cloudflare data centers.

“It’s not as effective as the previous method, but it still works,” the specialist noted.

Leave a Reply