Summary: A security researcher discovered a vulnerability in Cloudflare’s CDN that can expose a user’s general location through images sent via platforms like Signal and Discord. This zero-click tracking method allows attackers to deanonymize users within a 250-mile radius without any interaction from the target. The flaw raises significant privacy concerns for individuals such as journalists and activists while potentially aiding law enforcement investigations.

Threat Actor: Daniel | Daniel
Victim: Cloudflare, Signal, Discord | Cloudflare, Signal, Discord

Keypoints :

• Daniel’s attack exploits a flaw in Cloudflare’s caching mechanism to infer user locations based on image requests.
• The vulnerability allows for tracking without user interaction, making it a stealthy zero-click attack.
• While Cloudflare has patched the initial bug, alternative methods for geo-locating users remain viable.