A security researcher named Daniel has discovered a flaw in Cloudflare’s CDN potentially exposing someone’s location by sending them an image on platforms like Signal and Discord. Daniel says he is publishing his research as a warning, especially for journalists, activists, and hackers, as hundreds of apps are vulnerable to this undetectable attack, including Signal, Discord and Twitter/X https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios, like those involving tracked dissents, where it could be a problem. For example, if the agency that’s tracking you knows you’ve got safe houses in one of two countries but isn’t sure which you’re in, this sort of flaw might be interesting to them. Or I’m a woman trying to escape an ex-boyfriend and he’s not sure which relative or friend’s house I’m hiding out at. And the attack is just generic enough that I think it can be applied to more CDNs…I doubt Cloudflare is the only CDN with this sort of vulnerability. Also, kudos to the 15-year old kid that found and released this attack.”
The report by Daniel should be read in detail because it not only shows how bad this flaw is, but the fact that it is still out there waiting to be exploited. Hopefully those who are mentioned in this report such as Cloudflare along with any other products that might be vulnerable to this attack do something to fix this. And for everyone else, I would take the steps that Daniel outlines to protect yourselves.
Related
This entry was posted on January 23, 2025 at 8:48 am and is filed under Commentary with tags Cloudflare. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Cloudflare CDN Flaw Leaks User Location Data
A security researcher named Daniel has discovered a flaw in Cloudflare’s CDN potentially exposing someone’s location by sending them an image on platforms like Signal and Discord. Daniel says he is publishing his research as a warning, especially for journalists, activists, and hackers, as hundreds of apps are vulnerable to this undetectable attack, including Signal, Discord and Twitter/X https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios, like those involving tracked dissents, where it could be a problem. For example, if the agency that’s tracking you knows you’ve got safe houses in one of two countries but isn’t sure which you’re in, this sort of flaw might be interesting to them. Or I’m a woman trying to escape an ex-boyfriend and he’s not sure which relative or friend’s house I’m hiding out at. And the attack is just generic enough that I think it can be applied to more CDNs…I doubt Cloudflare is the only CDN with this sort of vulnerability. Also, kudos to the 15-year old kid that found and released this attack.”
The report by Daniel should be read in detail because it not only shows how bad this flaw is, but the fact that it is still out there waiting to be exploited. Hopefully those who are mentioned in this report such as Cloudflare along with any other products that might be vulnerable to this attack do something to fix this. And for everyone else, I would take the steps that Daniel outlines to protect yourselves.
Share this:
Like this:
Related
This entry was posted on January 23, 2025 at 8:48 am and is filed under Commentary with tags Cloudflare. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.