Cloudflare Bug Exposed Broad Locations Of Chat App Users

A recently discovered issue in Cloudflare’s Content Delivery Network (CDN) highlights how attackers could pinpoint a chat app user’s approximate location, as reported today by 404 Media.

The bug allowed hackers to determine which Cloudflare data center cached an image sent through popular apps like Signal, Discord, and Twitter/X. By exploiting this, attackers could infer a user’s city or state, though not exact locations.

The vulnerability centers on how Cloudflare’s CDN operates. CDNs improve content delivery by caching data across servers worldwide. When an image is sent through a chat app, it is cached by the data center closest to the recipient, as noted by 404 Media.

Fifteen years old security researcher “daniel” created a tool named Cloudflare Teleport to exploit this behavior. By analyzing which data center responded to a query, the tool could identify the user’s general location, says 404 Media.

404 Media explains that the hack operated by exploiting a sequence of steps. First, an attacker would send an image to the target through a messaging app. They would then use Burp Suite, a popular web application security tool, to extract the URL of the uploaded image.

Next, the attacker employed a custom tool to query all Cloudflare data centers, checking where the image had been cached. If a specific data center returned a “HIT” response, it indicated the approximate location of the target.

In testing, daniel successfully identified the location of Signal users, even without them opening the image. A push notification could preload the image, making it possible to infer a user’s city or state without direct interaction, as reported by 404 Media.

This vulnerability raises concerns for users requiring anonymity, such as activists or whistleblowers. Although the revealed data is coarse, it underscores the potential risks of network-layer surveillance. Using a Virtual Private Network (VPN) might mitigate this issue, but VPNs come with their own limitations and risks, says 404 Media.

404 Media notes that Cloudflare has since patched the specific issue exploited by daniel’s tool, according to Jackie Dutton, a senior cybersecurity representative at the company. However, daniel noted that similar attacks remain possible through more labor-intensive methods, such as manually routing requests via a VPN to different locations.

Messaging apps like Signal and Discord emphasized the inherent limitations of CDNs, noting their necessity for global performance. Signal, in particular, stated that its end-to-end encryption remains unaffected and recommended VPNs for users needing enhanced anonymity.

While the immediate exploit has been resolved, the incident highlights ongoing privacy risks in digital communication platforms. Users concerned about location privacy should consider additional security measures beyond those provided by standard apps.