Cloudflare CDN flaw leaks user location data even through secure chat apps

pWindows 11 24H2 now also offered to all eligible Windows 10 PCsppHundreds of fake Reddit sites push Lumma Stealer malwareppStealthy Magic Packet malware targets Juniper VPN gatewaysppSonicWall warns of SMA1000 RCE flaw exploited in zeroday attacksppZyxel warns of bad signature update causing firewall boot loopsppMicrosoft to deprecate WSUS driver synchronization in 90 daysppSubaru Starlink flaw let hackers hijack cars in US and CanadappHackers use Windows RID hijacking to create hidden admin accountppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppA security researcher discovered a flaw in Cloudflares content delivery network CDN which could expose a persons general location by simply sending them an image on platforms like Signal and DiscordppWhile the geolocating capability of the attack is not precise enough for streetlevel tracking it can provide enough data to infer what geographic region a person lives in and monitor their movementsppDaniels finding is particularly concerning for people who are highly concerned about their privacy like journalists activists dissidents and even cybercriminalsppHowever for law enforcement this flaw could be a boon to investigations allowing them to learn more about the country or state where a suspect may be locatedppThree months ago a security researcher named Daniel discovered that Cloudflare caches media resources at the data center nearest to the user to improve load timespp3 months ago I discovered a unique 0click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius explained DanielppWith a vulnerable app installed on a targets phone or as a background application on their laptop an attacker can send a malicious payload and deanonymize you within secondsand you wouldnt even knowppTo conduct the informationdisclosure attack the researcher would send a message to someone with a unique image whether that be a screenshot or even a profile avatar hosted on Cloudflares CDNppNext he leveraged a bug in Cloudflare Workers that allows forcing requests through specific data centers using a custom tool called Cloudflare Teleport ppThis arbitrary routing is normally disallowed by Cloudflares default security restrictions which dictate that each request is routed from the nearest data centerppBy enumerating cached responses from different Cloudflare data centers for the sent image the researcher could map the general location of users based on the CDN returning the closest airport code near their data centerppAdditionally since many apps automatically download images for push notifications including Signal and Discord an attacker can track a target without user interaction making this a zeroclick attackppThe tracking accuracy ranges between 50 and 300 miles depending on the region and how many Cloudflare datacenters are nearby Precision around major cities should be better than in rural or less populated areasppWhile experimenting with geolocating Discords CTO Stanislav Vishnevskiy the researcher found that Cloudflare uses anycast routing with multiple nearby data centers handling a request for better load balancing allowing even better accuracyppAs first reported by 404 Media the researcher disclosed his findings to Cloudflare Signal and Discord and the former marked it as resolved and awarded him a 200 bountyppDaniel confirmed that the Workers bug was patched but by reprogramming Teleport to use a VPN to test different CDN locations the geolocating attacks are still possible if a bit more cumbersome nowppI chose a VPN provider with over 3000 servers located in various locations across 31 different countries worldwide explains the researcher in his writeupppUsing this new method Im able to reach about 54 of all Cloudflare datacenters again While this doesnt sound like a lot this covers most places in the world with significant populationppResponding to a subsequent request Cloudflare told the researcher that it is ultimately the users responsibility to disable cachingppDiscord rejected the report as a Cloudflare issue as did Signal noting that its outside their missions scope to implement networklayer anonymity featuresppBleepingComputer has reached out to Signal Discord and Cloudflare for a comment on the researchers findingsppA Cloudflare spokesperson told us the followingppThis was first disclosed in December 2024 through our bug bounty program investigated and immediately resolved The ability to make requests to specific data centres via the Cloudflare Teleport project on GitHub was quickly addressed as the security researcher mentions in their disclosure We believe bug bounties are a vital part of every security teams toolbox and continue to encourage third parties and researchers to continue to report this type of activity for review by our team Cloudflare spokespersonppAllstate car insurer sued for tracking drivers without permissionppBrave Search now lets users Rerank results from favorite sitesppCloudflare mitigated a recordbreaking 56 Tbps DDoS attackppFTC orders GM to stop collecting and selling drivers datappMalicious PyPi package steals Discord auth tokens from devsppNot a member yet Register NowppWindows 11 24H2 now also offered to all eligible Windows 10 PCsppPowerSchool hacker claims they stole data of 62 million studentsppHackers exploit 16 zerodays on first day of Pwn2Own Automotive 2025ppPassword healthcheck overdue Audit your Active Directory for freeppCriminal IP Teams Up with OnTheHub for Digital Education CybersecurityppStruggling with Security Learn how VisionX Splunk has you coveredppCriminal IP RealTime Phishing Protection for Outlook UsersppGenerative AI An MFA Game Changer for Security and Hacker StrategyppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp