Cloudflare CDN Flaw Enables Zero-Click Geo-Location Attack via Signal, Discord | Black Hat Ethical Hacking

A newly discovered flaw in Cloudflare’s content delivery network (CDN) could allow attackers to approximate a target’s location within 50-300 miles by sending them an image on platforms like Signal and Discord. This zero-click attack raises serious privacy concerns for journalists, activists, and other privacy-conscious individuals.

How the Flaw Works

Security researcher Daniel uncovered that Cloudflare caches media resources at the data center nearest to the user to improve load times. By exploiting a bug in Cloudflare Workers, Daniel was able to route requests through specific data centers using a tool he called Cloudflare Teleport.

This method allowed the attacker to enumerate cached responses from different data centers. By analyzing which data center responded, the attacker could deduce the victim’s approximate location based on nearby airport codes.

Stealthy Zero-Click Tracking Explained

Three months ago, a security researcher named Daniel discovered a vulnerability in how Cloudflare’s content delivery network (CDN) handles media requests. Cloudflare’s CDN improves website performance by caching media files (such as images) at the data center closest to the user. This optimization inadvertently created a method for tracking a target’s approximate location without their knowledge or interaction.

How the Zero-Click Deanonymization Works

1. Sending a Malicious Image:
   The attack starts with the attacker sending a target a message containing an image hosted on Cloudflare’s CDN. This could be a seemingly innocuous file, such as a screenshot or a profile picture.

2. Exploiting Cloudflare Workers:
   Using a custom-built tool called Cloudflare Teleport, the researcher exploited a bug in Cloudflare Workers—a feature that allows developers to customize CDN behavior. The bug enabled the attacker to arbitrarily route requests through specific Cloudflare data centers, overriding the usual restriction that routes requests through the closest data center to the user.

3. Mapping the Target’s Location:
   By enumerating the cached responses from multiple data centers, the attacker could identify which data center returned the requested image. Each data center corresponds to a nearby airport code, allowing the attacker to deduce the target’s general location within a radius of 50 to 300 miles.

Calculating response times
Source: hackermondev | GitHub