allows an attacker to grab the location of any target within a 250 mile radius
So it’s a bit rough… In Europe it means basically which country the target is in. Also cloudflare servers are not evenly distributed in the world, so resolution can differ wildly worldwide.
With a vulnerable app installed on a target’s phone
So it’s not really zero click.
Sounds interesting though, nice writeup, but not as scary as it sounds from the title.
I should have stopped when they announced they were a highschool student.
They didn’t reveal the actual identity of anyone. They did use cloudflare to approximate a target’s location, and made it slightly fancier by forcing the client to make the request with a push notification.
Companies have used similar approaches for decades. Almost every web interaction with a marketer approximates your location and ties that together with demographics via browser fingerprinting to get a good idea of who you are.
threaded - newest
Sounds a bit clickbait:
So it’s a bit rough… In Europe it means basically which country the target is in. Also cloudflare servers are not evenly distributed in the world, so resolution can differ wildly worldwide.
So it’s not really zero click.
Sounds interesting though, nice writeup, but not as scary as it sounds from the title.
I should have stopped when they announced they were a highschool student.
They didn’t reveal the actual identity of anyone. They did use cloudflare to approximate a target’s location, and made it slightly fancier by forcing the client to make the request with a push notification.
Companies have used similar approaches for decades. Almost every web interaction with a marketer approximates your location and ties that together with demographics via browser fingerprinting to get a good idea of who you are.