A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user might be in.
An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.
Although the obtained location data is very coarse—in some of 404 Media’s tests it showed what city or state someone was in but did not provide more accurate information than that—the news shows the importance for some at-risk users to protect not just their message contents, but their network activity as well.
“It's more of an oversight in the way the mobile application works than a vulnerability in the actual code but regardless, I thought it should be fixed,” daniel, an independent security researcher who reported the issue to Cloudflare, told 404 Media in an email. daniel said Cloudflare has since fixed the specific issue his custom-made tool was using.
The issue centers around Cloudflare’s Content Delivery Network, or CDN. A CDN is a system that caches content across a mass of distributed servers, then delivers content to a user based on their location. So, if a user was in San Francisco, Cloudflare’s CDN would use the part of their CDN nearest to the user to speed up delivery of that content. Cloudflare says it has data centers in 330 cities across more than 120 countries. Many apps then use Cloudflare’s CDN to help deliver content to users.
This creates a side effect of a third-party potentially being able to learn which part of Cloudflare’s CDN was used when sending an image, and from that infer a user’s location. “This huge network of data centers introduces a huge flaw,” daniel writes in a summary of his findings shared with 404 Media. “Cloudflare partitions cache through data centers, and because of this bad actors can very easily correlate caches and triangulate user locations. Each of Cloudflare's data center locations has its own local cache storage to serve content faster so it's possible to check each datacenter to see where content was cached.” Those data centers in 330 cities become ways to potentially track somebody, albeit with broad strokes of hundreds of miles.
To do the attack, daniel would send the target an image through the messaging app. He would then use Burp suite, the popular web application security tool, to grab the URL of the uploaded image. Then, he would use a tool he made called Cloudflare Teleport to send a request to every Cloudflare data center to see which data center cached the request. These queries would return the results “HIT” or “MISS”. With a hit, he now knows which data center the target was likely closest too, revealing their potential location.
404 Media asked daniel to demonstrate the issue by learning the location of multiple Signal users with their consent. In one case, daniel sent a user an image. Soon after, daniel sent a link to a Google Maps page showing the city the user was likely in. In some cases, the attack requires the target to open the chat conversation; in others, a push notification may load the image so there is no need for the victim to open the app. daniel said they also tested the issue on Discord, which can deliver the image through a friend request, and his write-up also mentions Twitter/X.
It is widely understood that when someone visits a website or uses an app, the administrators of that site or app will probably see the visitor’s IP address. This is simply part of how the internet works. But it is probably less understood that in some cases a third-party attacker could potentially learn similar information about another user.
Many users of messaging apps will not need to be concerned about this. But people who try to protect their physical location, even to the level of a country or city such as an activist, may need to, especially those who try to maintain anonymity. A virtual private network (VPN) might protect people from this particular issue, but VPNs introduce their own security issues, and the VPN industry is full of snakeoil merchants.
daniel said they reported the issue to Cloudflare, Signal, and Discord. Jackie Dutton, senior manager for public relations, cybersecurity and threat intel, at Cloudflare told 404 Media in an email the company had fixed the issue.
“As summarized in the researcher's note, this exploit was disclosed through our bug bounty program. We have resolved the issue,” she wrote. “We believe bug bounties are a vital part of every security team’s toolbox.”
Discord provided a statement from Kevin Hanaford, head of security at Discord. “We are aware of this incident and determined it to be a general issue with a service provider. We reported this issue to the service provider as soon as we were made aware of it, and they are in the process of implementing a fix,” he said.
404 Media first asked Signal for comment in early December. The organization did not provide a statement in time for publication, but daniel shared their response to his bug report.
“What you're describing (observing cache hits and misses) is a generic property of how Content Distribution Networks function. Signal's use of CDNs is neither unique nor alarming, and also doesn't impact Signal's end-to-end encryption. CDNs are utilized by every popular application and website on the internet, and they are essential for high-performance and reliability while serving a global audience,” Signal’s security team wrote.
“There is already a large body of existing work that explores this topic in detail, but if someone needs to completely obscure their network location (especially at a level as coarse and imprecise as the example that appears in your video) a VPN is absolutely necessary. That functionality falls outside of Signal's scope. Signal protects the privacy of your messages and calls, but it has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor, and other open-source VPN software can provide,” it added.
Twitter/X did not immediately respond to a request for comment.
At the time of writing, daniel’s Cloudflare Teleport tool is inaccessible because Cloudflare fixed the bug it was exploiting, daniel said. He said he can still broadly do the same sort of attack, but “it’s a little harder” now. Instead of using his tool, he uses a VPN to route his traffic to different locations and then send requests to Cloudflare’s data centers, he said.
“It's not as efficient to do as through the previous method but it still works,” he said.
Source: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/
An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.
Although the obtained location data is very coarse—in some of 404 Media’s tests it showed what city or state someone was in but did not provide more accurate information than that—the news shows the importance for some at-risk users to protect not just their message contents, but their network activity as well.
“It's more of an oversight in the way the mobile application works than a vulnerability in the actual code but regardless, I thought it should be fixed,” daniel, an independent security researcher who reported the issue to Cloudflare, told 404 Media in an email. daniel said Cloudflare has since fixed the specific issue his custom-made tool was using.
The issue centers around Cloudflare’s Content Delivery Network, or CDN. A CDN is a system that caches content across a mass of distributed servers, then delivers content to a user based on their location. So, if a user was in San Francisco, Cloudflare’s CDN would use the part of their CDN nearest to the user to speed up delivery of that content. Cloudflare says it has data centers in 330 cities across more than 120 countries. Many apps then use Cloudflare’s CDN to help deliver content to users.
This creates a side effect of a third-party potentially being able to learn which part of Cloudflare’s CDN was used when sending an image, and from that infer a user’s location. “This huge network of data centers introduces a huge flaw,” daniel writes in a summary of his findings shared with 404 Media. “Cloudflare partitions cache through data centers, and because of this bad actors can very easily correlate caches and triangulate user locations. Each of Cloudflare's data center locations has its own local cache storage to serve content faster so it's possible to check each datacenter to see where content was cached.” Those data centers in 330 cities become ways to potentially track somebody, albeit with broad strokes of hundreds of miles.
To do the attack, daniel would send the target an image through the messaging app. He would then use Burp suite, the popular web application security tool, to grab the URL of the uploaded image. Then, he would use a tool he made called Cloudflare Teleport to send a request to every Cloudflare data center to see which data center cached the request. These queries would return the results “HIT” or “MISS”. With a hit, he now knows which data center the target was likely closest too, revealing their potential location.
404 Media asked daniel to demonstrate the issue by learning the location of multiple Signal users with their consent. In one case, daniel sent a user an image. Soon after, daniel sent a link to a Google Maps page showing the city the user was likely in. In some cases, the attack requires the target to open the chat conversation; in others, a push notification may load the image so there is no need for the victim to open the app. daniel said they also tested the issue on Discord, which can deliver the image through a friend request, and his write-up also mentions Twitter/X.
It is widely understood that when someone visits a website or uses an app, the administrators of that site or app will probably see the visitor’s IP address. This is simply part of how the internet works. But it is probably less understood that in some cases a third-party attacker could potentially learn similar information about another user.
Many users of messaging apps will not need to be concerned about this. But people who try to protect their physical location, even to the level of a country or city such as an activist, may need to, especially those who try to maintain anonymity. A virtual private network (VPN) might protect people from this particular issue, but VPNs introduce their own security issues, and the VPN industry is full of snakeoil merchants.
daniel said they reported the issue to Cloudflare, Signal, and Discord. Jackie Dutton, senior manager for public relations, cybersecurity and threat intel, at Cloudflare told 404 Media in an email the company had fixed the issue.
“As summarized in the researcher's note, this exploit was disclosed through our bug bounty program. We have resolved the issue,” she wrote. “We believe bug bounties are a vital part of every security team’s toolbox.”
Discord provided a statement from Kevin Hanaford, head of security at Discord. “We are aware of this incident and determined it to be a general issue with a service provider. We reported this issue to the service provider as soon as we were made aware of it, and they are in the process of implementing a fix,” he said.
404 Media first asked Signal for comment in early December. The organization did not provide a statement in time for publication, but daniel shared their response to his bug report.
“What you're describing (observing cache hits and misses) is a generic property of how Content Distribution Networks function. Signal's use of CDNs is neither unique nor alarming, and also doesn't impact Signal's end-to-end encryption. CDNs are utilized by every popular application and website on the internet, and they are essential for high-performance and reliability while serving a global audience,” Signal’s security team wrote.
“There is already a large body of existing work that explores this topic in detail, but if someone needs to completely obscure their network location (especially at a level as coarse and imprecise as the example that appears in your video) a VPN is absolutely necessary. That functionality falls outside of Signal's scope. Signal protects the privacy of your messages and calls, but it has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor, and other open-source VPN software can provide,” it added.
Twitter/X did not immediately respond to a request for comment.
At the time of writing, daniel’s Cloudflare Teleport tool is inaccessible because Cloudflare fixed the bug it was exploiting, daniel said. He said he can still broadly do the same sort of attack, but “it’s a little harder” now. Instead of using his tool, he uses a VPN to route his traffic to different locations and then send requests to Cloudflare’s data centers, he said.
“It's not as efficient to do as through the previous method but it still works,” he said.
Source: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/
