- Security researcher discovered way to abuse how Cloudflare cached certain images
- The method could allow third parties to partially deanonymize people
- The bug was quickly fixed, Cloudflare assures users
Experts have found a way to partially deanonymize a person and learn their general location by simply sending them a photo on certain messaging platforms.
So says Daniel, a 15-year-old cybersecurity researcher who recently discovered a vulnerability in Cloudflare’s content delivery network (CDN).
In theory, the vulnerability is simple. Cloudflare wants people to receive their messages and media content as quickly as possible. For this reason, the images sent pass through a data center closest to the recipient. If the attacker could know which data center this is, they could get an accurate picture of their target’s location.
A radius of 200 miles
“One of the most used features of Cloudflare is caching. Cloudflare’s cache stores copies of frequently accessed content (such as images, videos or web pages) in its data centers, reducing server load and improving website performance,” Daniel explained.
“When your device sends a request for a cacheable resource, Cloudflare retrieves the resource from its local data center storage, if available. Otherwise, it fetches the resource from the original server, caches it locally, and then returns it. By default, some file extensions are automatically cached, but site operators can also configure new cache rules.
“If you live in a developed country, chances are the nearest data center is within 200 miles of you. » Since some apps, like Signal or Discord, show the image thumbnail in the notification, this is a zero-click vulnerability.
Daniel further explained that Cloudflare returns information about the cache state of a request in the HTTP response, including the code of the airport closest to the data center.
Then he used a bug in Cloudflare Workers and a tool called Cloudflare Teleport, forcing requests to go through a specific data center.
A few months after the bug was discovered, Cloudflare fixed it, saying BeepComputer it was disclosed in December 2024 and “immediately resolved.”
“The possibility of making requests to specific data centers via the “Cloudflare Teleport” project on GitHub was quickly discussed – as the security researcher mentions in his disclosure. We believe bug bounties are an essential part of every security team’s toolbox, and we continue to encourage third parties and researchers to continue reporting this type of activity for review by our team. »
