CloudflareCDN 0click location deanonymization attack targeting Signal, Discord and other platforms

jerm · January 21, 2025, 4:11pm

gist.github.com

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117

research.md

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i [hack billion dollar companies](https://hackerone.com/daniel) and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

# Cloudflare
By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage knocked most of the internet offline for over 30 minutes.

One of Cloudflare's most used feature is Caching. Cloudflare's Cache stores copies of frequently accessed content (such as images, videos, or webpages) in its datacenters, reducing server load and improving website performance (https://developers.cloudflare.com/cache/).

This file has been truncated. show original

jonah · January 21, 2025, 4:29pm

Oh wow, that is surprisingly bad.

Focus · January 21, 2025, 4:32pm

Especially signals response.
But it didn’t surprise me, because to earlier different issues like the Desktop one being less secure, they also just replied with thats not their Problem.
If you market yourself as a privacy and security messenger then you would expect them to take these issues serious.

jerm · January 21, 2025, 4:58pm

Signal be like:

Signal instantly dismissed my report, saying it wasn’t their responsibility and it was up to users to hide their identity
(source)

The president of Signal, Meredith Whittaker, stated on Twitter that it’s not within the software’s scope to protect users from such a level of compromise, where attackers have local access to the target systems.
(source)

We disclosed our findings to the Signal organization on October 20, 2020, and received an answer on October 28, 2020. In summary, they state that they do not treat a compromise of long-term secrets as part of their adversarial model. Therefore, they do not currently plan to mitigate the described attack or implement one of the proposed countermeasures.
(source)

Then when the fuck will they care about known vulnerabilities such as these?

jonah · January 21, 2025, 5:03pm

I think it’s fine for Signal to have a very well-defined scope and stick with it, but at the same time it’s hard to excuse a privacy-focused provider making use of a CDN that has enough points of presence to enable this sort of side-channel attack. There’s really no winning for them though

phnx · January 21, 2025, 5:06pm

Disappointing to see all affected parties playing the blame game. I wonder if SimpleX chat is affected because I’m getting sick of Signals’ attitude towards these kinds of issues.

sgp · January 21, 2025, 5:20pm

Personally, I don’t see what you expect Signal to do except use a CDN with fewer endpoints. And if they did that, then messages would load slower.

Signal already defaults to not relaying calls, which means that for calls between contacts, your IP is directly exposed to the other party. This is done for performance, quality, and cost-saving reasons.

If you’re worried about protecting your IP from websites you connect to, including Cloudflare and other CDNs, then this is a good advertisement for using a VPN or Tor.

Note that if you use a VPN in the default setting of “Recommended”, “Fastest”, or similar, then this may not do much against this specific issue. You’ll connect from your IP to the nearest VPN IP with capacity and then to the nearest CDN entry point.

Maybe the biggest takeaway is that users should always assume that the IP address that they are using to access online resources can be discovered (or estimated) by more parties than they may expect, and to take steps to protect it accordingly.

@phnx SimpleX uses server routing to help mitigate against things like this, but even they suggest using Orbot.

Cyber-Typhoon · January 21, 2025, 5:43pm

Aside from the discovery, I’m very impressed with the age of the bounty hunter and the work quality.

Kudos and all success to them.

cooolguy · January 21, 2025, 6:01pm

Unfortunate that this is the case, but I do somewhat expect this from Cloudflare. They’ve done a lot of work towards making the internet a worse place generally. Thankful that this kid was able to discover the exploit and notified all involved.

sgp · January 21, 2025, 7:35pm

Let’s leave discussion on the morality of Cloudflare in a different thread please

phnx · January 21, 2025, 8:05pm

I’m confused where you got the idea that I expect anything from Signal. What I said was that “I’m getting sick of their attitude towards these kinds of issues.” Signal is welcome to continue considering these issues out of scope, just as I am free to take issue with that and go elsewhere (such as SimpleX chat). I am disappointed that Signal’s position as the ‘gold-standard’ of private messengers has led to stagnation and a poor security culture within their organisation.

From their response in this case, call relaying is also beyond the scope of Signal since it is “up to users to hide their identity”. Their stance on this is also wildly inconsistent. Link previews are a good example. They are either disabled or enabled with link previews generated on the sender’s client. Why bother if not to protect the recipient from leaking their IP to the website (and by extension potentially the sender) in zero-clicks?

A sane suggestion when you have users like journalists who cannot be expected to have a master’s degree in computer science. For some users, these things matter, and even if Signal isn’t going to fix it, an adequate warning couldn’t hurt.

soatok · January 21, 2025, 8:08pm

I think there’s a distinction that needs to be made about what guarantees Signal actually gives you, because I don’t think that’s clear from this report (but it is very clear from Signal’s documentation).

Nobody can see what is being said, except the participating devices in the conversation. This is where end-to-end encryption comes in.
- Once a message has reached the other end, it’s fair game. E2EE’s job is done once it’s reached the other end.
- The encryption key always ratchets forward to ensure a key is only used once, thereby limiting the impact of a compromise.

That’s pretty much it. There are some nuances (like, if you do a GIF search, they try to hide who is searching for what), but remember that Signal was originally just a means to encrypt SMS messages.

Signal doesn’t promise anonymity.

Signal doesn’t promise how data is secured on your device after the end-to-end encryption has done its job. If you’re worried about that, use your OS’s full disk encryption features with a secure passphrase. Also, pay attention to what’s happening with NIST and their Accordion Mode workshops; a lot of this will directly be applied to Android device encryption in the future.

Signal has a lot of faults, but they don’t falsely advertise their features.

Niek-de-Wilde · January 21, 2025, 8:11pm

I guess this is another win for carrier grade NAT /s

ph00lt0 · January 21, 2025, 9:19pm

delosmzp · January 21, 2025, 9:47pm

Well, this is why/another reason you use VPNs and enable multihop for good measure if you want.

Hope Signal expands their scope a bit to do a little more of such tangential issues as well.

jerm · January 21, 2025, 10:18pm

Well, I don’t agree with most of their excuses about not implementing some feature due to X reasons, take for example, local database encryption. Moxie (ex-signal dev) didn’t want to implement it because he believed that “it will be stored in memory forever at first unlock”, but Molly dev proved him wrong. There are multiple features that Signal just refuses to implement when it is entirely possible and will vastly improve user’s privacy or security.

Molly kept adding such features while Signal deliberately didn’t do anything remarkable at all other than cryptography (which I respect btw), it is just a part of what makes messenger secure, there are a lot of other attack vectors you should be putting into account and mitigate when you are providing people with a whole instant messaging app and not just providing cryptographic primitives.

Here’s a list of what features Molly have & going to have: Recommend Molly alongside Signal - #11 by jerm.

jerm · January 21, 2025, 10:32pm

Some similar attack:

Link to Paper.

jerm · January 22, 2025, 6:12pm

https://xcancel.com/SimpleXChat/status/1881781006404874692#m

No, we don’t use Cloudflare, and media uploads are distributed across multiple network servers, so this attack won’t apply.

File servers do observe user IP addresses, but the user will be warned prior to downloading the files from untrusted file servers.

This limitation will be removed this year - file downloads will be proxied by trusted servers in all cases.

SimpleX Chat not affected.