A security researcher discovered a way to abuse how Cloudflare cached certain images The method could allow outsiders to partially anonymize people The error was quickly fixed, Cloudflare assures users
Experts have found a way to partially anonymize a person and find out their general location by simply sending them a picture on certain messaging platforms.
This is according to a 15-year-old cybersecurity researcher named Daniel, who recently found a vulnerability in Cloudflare’s content delivery network (CDN).
In theory, the vulnerability is simple. Cloudflare wants people to receive their messages and multimedia as quickly as possible. For that reason, images sent pass through a data center closest to the recipient. If the attacker could learn which data center it is, they could get a solid picture of their target’s location.
A radius of 200 miles
“One of Cloudflare’s most used features is Caching. Cloudflare’s Cache stores copies of frequently accessed content (such as images, videos or web pages) in its data centers, reducing server load and improving website performance,” explained Daniel.
“When your device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage if available. Otherwise, it retrieves the resource from the origin server, caches it locally, and then returns it. By default, some file extensions are cached automatically, but website operators can also configure new cache rules.”
“If you live in a developed country, there’s a good chance the closest data center to you is less than 200 miles away.” Since some apps, such as Signal or Discord, display the thumbnail of the image in the notification, it makes this a zero-click vulnerability.
Daniel further explained that Cloudflare returns information about a request’s cache status in the HTTP response, including the airport code of the closest airport to the data center.
Next, he exploited a flaw in Cloudflare Workers and used a tool called Cloudflare Teleport that forces requests through a specific data center.
A few months after the bug was discovered, Cloudflare patched it up and reported Bleeping Computer it was revealed in December 2024 and “immediately resolved.”
“The ability to make requests to specific data centers via the “Cloudflare Teleport” project on GitHub was quickly addressed – as the security researcher mentions in their disclosure. We believe that bug bounties are a vital part of any security team’s toolbox, and we continue to encourage third parties and researchers to continue to report this type of activity for review by our team.”
You also like
