- A security researcher discovered a way to abuse how Cloudflare cached certain images
- The method could allow outsiders to partially anonymize people.
- The bug was fixed quickly, Cloudflare assures users
Experts have found a way to partially anonymize a person and discover their general location by simply sending them an image on certain messaging platforms.
This is according to a 15-year-old cybersecurity researcher named Daniel, who recently found a vulnerability in Cloudflare’s content delivery network (CDN).
In theory, the vulnerability is simple. Cloudflare wants people to receive their messages and multimedia as quickly as possible. For this reason, the images that are sent go through a data center closer to the recipient. If the attacker could know which data center it is, they could get a solid picture of their target’s location.
A 200 mile radius
“One of the most used features of Cloudflare is caching. “Cloudflare cache stores copies of frequently accessed content (such as images, videos or web pages) in its data centers, reducing server load and improving website performance,” Daniel explained.
“When your device sends a request for a cacheable resource, Cloudflare retrieves the resource from your local data center, if available. Otherwise, it retrieves the resource from the origin server, caches it locally, and then returns it. By default, some file extensions are cached automatically, but site operators can also configure new caching rules.”
“If you live in a developed country, there is a good chance that the nearest data center is less than 200 miles from you.” Since some apps, such as Signal or Discord, display the image thumbnail in the notification, this is a zero-click vulnerability.
Daniel further explained that Cloudflare returns information about the cache status of a request in the HTTP response, including the code of the airport closest to the data center.
Then, it exploited a bug in Cloudflare Workers and used a tool called Cloudflare Teleport, forcing requests through a specific data center.
A few months after the bug was discovered, Cloudflare fixed it and told beepcomputer was revealed in December 2024 and was “immediately resolved.”
“The ability to make requests to specific data centers through the “Cloudflare Teleport” project on GitHub was quickly addressed, as the security researcher mentions in his disclosure. “We believe bug bounties are a vital part of every security team’s toolbox and we continue to encourage third parties and researchers to continue reporting this type of activity for our team to review.”
