- A security researcher discovered a way to abuse how Cloudflare cached certain images
- The method could allow outsiders to partially de-anonymize people
- The bug was quickly fixed, Cloudflare assures users
Experts have found a way to partially de-anonymize a person and find out their general location by simply sending them a picture on certain messaging platforms.
This is according to a 15-year-old cybersecurity researcher named Daniel, who recently found a vulnerability in Cloudflare’s content delivery network (CDN).
In theory, the vulnerability is simple. Cloudflare wants people to receive their messages, and multimedia, as quickly as possible. For that reason, images that are being sent go through a data center that’s nearest to the recipient. If the attacker could learn which data center that is, they could get a solid picture of their target’s location.
A 200-mile radius
“One of Cloudflare’s most used feature is Caching. Cloudflare’s Cache stores copies of frequently accessed content (such as images, videos, or webpages) in its datacenters, reducing server load and improving website performance,” Daniel explained.
“When your device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local datacenter storage, if available. Otherwise, it fetches the resource from the origin server, caches it locally, and then returns it. By default, some file extensions are automatically cached but site operators can also configure new cache rules.”
“If you live in a developed country, there’s a good chance the nearest datacenter to you is less than 200 miles from you.” Since some apps, like Signal, or Discord, show the image’s thumbnail in the notification, it makes this a zero-click vulnerability.
Daniel further explained Cloudflare returns information about a request’s cache status in the HTTP response, including the airport code for the closest airport to the data center.
Next, he used a bug in Cloudflare Workers, and used a tool called Cloudflare Teleport, forcing requests through a specific data center.
A few months after the bug was discovered, Cloudflare patched it up, telling BleepingComputer it was disclosed in December 2024, and “immediately resolved.”
“The ability to make requests to specific data centres via the “Cloudflare Teleport” project on GitHub was quickly addressed – as the security researcher mentions in their disclosure. We believe bug bounties are a vital part of every security team’s toolbox, and continue to encourage third parties and researchers to continue to report this type of activity for review by our team.”