A significant privacy vulnerability in Cloudflare's Content Delivery Network (CDN) has been discovered that could allow attackers to track users' locations within approximately 250 miles. The flaw affects popular messaging and communication platforms including Signal, Discord, and other Cloudflare-backed services.
The vulnerability, discovered by a 15-year-old security researcher, exploits Cloudflare's caching system and datacenter infrastructure to determine users' approximate locations without their knowledge.
The attack takes advantage of how Cloudflare caches content across its global network of datacenters and returns information about which datacenter served the cached content.
The researcher demonstrated two attack scenarios:
- A "1-click" version requiring minimal user interaction,
- More concerning the "0-click" variant that can track users through push notifications.
The vulnerability's impact is particularly concerning for privacy-conscious users, journalists, and activists who rely on these platforms for secure communication.
During testing, the researcher successfully tracked the location of Discord's CTO within a 300-mile radius using this technique.
While Cloudflare has patched a specific bug that facilitated easier datacenter traversal, the underlying privacy issue remains.
"Cloudflare ended up completing patching the bug used by Cloudflare Teleport to traverse datacenters. " - researcher wrote.
"The bug had been reported to their HackerOne program a year ago by another reporter, but they hadn't done anything about it back then since they didn't see any impact of traversing datacenters until I shared my research."
The researcher found that using VPN servers across different global locations still allows attackers to reach approximately 54% of Cloudflare's datacenters, maintaining the vulnerability's effectiveness.
The response from affected services has been mixed. Signal dismissed the concern, stating they don't aim to provide network-layer anonymity. Discord initially promised to investigate but later characterized it as a Cloudflare issue. Cloudflare maintains that the behavior is not a vulnerability in their system and advises their customers to disable caching for sensitive resources if concerned.
The research shows the complex balance between performance optimization and privacy in modern web infrastructure, where features designed to improve service delivery can inadvertently create privacy risks for end users.