Victim: Signal, Discord | Signal, Discord
Price: N/A
Data: User geolocation data
Price: N/A
Data: User geolocation data
Keypoints :
- 0-click deanonymization attack capable of exposing user locations.
- Targets applications including Signal and Discord.
- Leverages caching mechanisms in Cloudflare’s infrastructure.
- Can infer user geolocations within a 250-mile radius without user interaction.
- Demonstrated on Signal by sending an attachment via CDN.
- Discord is vulnerable through custom emojis or friend request notifications.
- Cloudflare patched the specific bug but alternative methods were found to bypass the fix.
- Responses from Signal and Discord were underwhelming, with both platforms deflecting responsibility.
- Significant threat to individuals in sensitive roles, such as journalists and activists.
- Daniel emphasized the attack’s potential to track Signal accounts and correlate identities.
Original Source: https://securityonline.info/signal-and-discord-vulnerabilities-exposed-0-click-deanonymization-attack-revealed/
Views: 2