Was posted yesterday to a lot of communities, it’s very clickbait:
allows an attacker to grab the location of any target within a 250 mile radius
So it’s a bit rough… In Europe it means basically which country the target is in. Also cloudflare servers are not evenly distributed in the world, so resolution can differ wildly worldwide.
With a vulnerable app installed on a target’s phone
So it’s not really zero click.
Sounds interesting though, nice writeup, but not as scary as it sounds from the title.
just_another_person@lemmy.world
on 23 Jan 09:59
nextcollapse
Yeah, this sensational as a headline. It’s a clever idea that is not simple, requires an already compromised device and user, and won’t work except very specific conditions.
It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
just_another_person@lemmy.world
on 23 Jan 14:13
collapse
Not at all.
Phone needs to have network defaults enabled
Phone needs to have push notifications enabled
Phone needs to have background data enabled
No VPN
Attachment downloads by default in each app
No private DNS
No content blockers (lots have CDN bypass as a feature for this exact reason)
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
That’s not a compromised device though, it’s a device with default settings.
just_another_person@lemmy.world
on 23 Jan 14:52
collapse
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Aatube@kbin.melroy.org
on 23 Jan 15:50
nextcollapse
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don't take a device-wide VPN because they expect only websites to track them.
““compromised device”” in this scenario is any device with a chat app installed, push notifications on, and the chat service uses Cloudflare CDN. This is a very common setup, Discord and Signal were mentioned as examples. Many others are vulnerable for the same thing. With read receipts on the chat platform (like Signal), no push notifications are required.
The headline is sensationalist, but it isn’t something to be ignored. Especially for more privacy focused platforms like Signal, even leaking the country someone is in can be considered a risk. That’s effectively what this attack allows.
just_another_person@lemmy.world
on 23 Jan 14:14
nextcollapse
Already addressed in a different comment, but yes.
The vulnerable app can be anything that displays an attached image though. And a 250-mile radius compared to the whole world is still a very significant step for governments trying to track down dissidents, etc.
The section on responses by Cloudflare, Signal and Discord is disappointing. They’re not taking it seriously enough.
If the target has push notifications enabled (which it is by default), they don’t even have to open the Signal conversation for their device to download the attachment. Once the push notification is sent to their device, it automatically downloads the image from Signal’s CDN triggering the local datacenter to cache the response.
An attacker can run this deanonymization attack any time and grab a user’s current location without a single interaction.
GeoGuesser, powered by the Google Maps API, generates a likely location of the user. It finds the midpoint between the 2 datacenters and draws 2 circles that signify his radius.
And with SS7 they can get even more precise location, and you can’t really hide from that if you want to use a phone with a phone number, what is the point. This is an interesting way of attack, noone really thought about this before, but it’s not “oh-my-god everyone can be tracked via signal”. I guess the closest server doesn’t even selected via geographical distance, but much more depends on network infrastructure of your location, so Google Maps API can’t really help here.
And again any VPN could defend against this, so if you want to hide which country you are in currently, it should be the 0th step to use a VPN.
Aatube@kbin.melroy.org
on 23 Jan 13:42
nextcollapse
Cloudflare has more servers in Europe than in North America. That does trace you to which country, which IMO is pretty significant. Especially with the GeoGuesser "average the circles" thing he coded.
The user having to have the vulnerable app installed does not make it not zero click.
LainTrain@lemmy.dbzer0.com
on 23 Jan 10:13
nextcollapse
That’s a pretty clever trick.
JRaccoon@discuss.tchncs.de
on 23 Jan 11:34
nextcollapse
Interesting read. One thing I don’t fully get is why does Cloudflare have the airport code in the response headers anyway? I cannot think of a single reason to have it in the response.
CosmicTurtle0@lemmy.dbzer0.com
on 23 Jan 14:22
collapse
They use airport codes for their data center identifiers.
JRaccoon@discuss.tchncs.de
on 23 Jan 15:26
collapse
Yeah I get that, but why return that information in the HTTP response?
I understand the need for CDNs, but they really do have some nasty side-effects. And those seem to get worse, the more transformation is allowed to happen in CloudFlare Workers and similar services.
knightmare1147@lemmy.world
on 23 Jan 12:05
nextcollapse
Tldr: Someone can guess reasonably where you are by sending you a glitched friend request notification on your phone that tells the hacker what data center you’re closest to.
It is pretty clever but I wouldn’t call it full deanonymizing, should still get patched though.
good find by the tester.
Edit: used the term ‘glitch’ for simplicity of people reading, didn’t mean to upset people; I’m just an amateur.
Fiery@lemmy.dbzer0.com
on 23 Jan 13:36
nextcollapse
It’s not even glitched, it’s working as intended
CosmicTurtle0@lemmy.dbzer0.com
on 23 Jan 14:21
nextcollapse
It’s not a glitched friend request notification.
It’s a native friend request that you make through discord. The vulnerability lies in the attacker making a unique pfp for each request, forcing the CDN to cache the pfp at the closest data center to the user.
I would agree that it’s not fully deanonymizing but it could resurrect tracking Elon and other billionaires.
lemmydividebyzero@reddthat.com
on 23 Jan 18:02
collapse
I don’t get it?
Why not just sending someone a link to an image on your website?
You grab the IP address and are probably closer to the actual location with less work.
Or would Signal proxy the image?
Then, you need to just send a link. The user clicks (1 click attack) and you get the IP address…
wholookshere@lemmy.blahaj.zone
on 23 Jan 20:27
collapse
Most platforms proxy media shared.
Then your proposed workaround is still 1 click more than the reported one.
lemmydividebyzero@reddthat.com
on 23 Jan 20:44
collapse
yes, ok, but the 0 click reveals that I’m probably living in Germany (I just kind of doxed myself) and the IP can reveal the city or village I’m living in and if you cantact my ISP as law enforcement, you could probably find out my name and address…
But ok, the post is probably a bit of clickbait, because you can’t do much with the information you get from this method.
threaded - newest
You need to up your game I can almost understand that title.
Was posted yesterday to a lot of communities, it’s very clickbait:
So it’s a bit rough… In Europe it means basically which country the target is in. Also cloudflare servers are not evenly distributed in the world, so resolution can differ wildly worldwide.
So it’s not really zero click.
Sounds interesting though, nice writeup, but not as scary as it sounds from the title.
Yeah, this sensational as a headline. It’s a clever idea that is not simple, requires an already compromised device and user, and won’t work except very specific conditions.
It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
Not at all.
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
That’s not a compromised device though, it’s a device with default settings.
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don't take a device-wide VPN because they expect only websites to track them.
The user profile picture is not an attachment.
Wouldn’t it be a vulnerable device? Up until the point it’s compromised by downloading a malicious image?
““compromised device”” in this scenario is any device with a chat app installed, push notifications on, and the chat service uses Cloudflare CDN. This is a very common setup, Discord and Signal were mentioned as examples. Many others are vulnerable for the same thing. With read receipts on the chat platform (like Signal), no push notifications are required.
The headline is sensationalist, but it isn’t something to be ignored. Especially for more privacy focused platforms like Signal, even leaking the country someone is in can be considered a risk. That’s effectively what this attack allows.
Already addressed in a different comment, but yes.
I feel like people here have forgotten the difference between “vulnerable” and “compromised”.
It matters because calling everyone’s default setup chat apps compromised implies that an attack has occurred.
The vulnerable app can be anything that displays an attached image though. And a 250-mile radius compared to the whole world is still a very significant step for governments trying to track down dissidents, etc.
The section on responses by Cloudflare, Signal and Discord is disappointing. They’re not taking it seriously enough.
Did you keep reading after the intro?
Excerpt:
If the target has push notifications enabled (which it is by default), they don’t even have to open the Signal conversation for their device to download the attachment. Once the push notification is sent to their device, it automatically downloads the image from Signal’s CDN triggering the local datacenter to cache the response.
An attacker can run this deanonymization attack any time and grab a user’s current location without a single interaction.
If it’s still only the datacenter it doesnt matter that much.
And with SS7 they can get even more precise location, and you can’t really hide from that if you want to use a phone with a phone number, what is the point. This is an interesting way of attack, noone really thought about this before, but it’s not “oh-my-god everyone can be tracked via signal”. I guess the closest server doesn’t even selected via geographical distance, but much more depends on network infrastructure of your location, so Google Maps API can’t really help here.
And again any VPN could defend against this, so if you want to hide which country you are in currently, it should be the 0th step to use a VPN.
Does everyone have access to tracking which stations send the phone signal in the SS7 network?
Yes, anyone can buy access.
Cloudflare has more servers in Europe than in North America. That does trace you to which country, which IMO is pretty significant. Especially with the GeoGuesser "average the circles" thing he coded.
The user having to have the vulnerable app installed does not make it not zero click.
That’s a pretty clever trick.
Interesting read. One thing I don’t fully get is why does Cloudflare have the airport code in the response headers anyway? I cannot think of a single reason to have it in the response.
They use airport codes for their data center identifiers.
Yeah I get that, but why return that information in the HTTP response?
I understand the need for CDNs, but they really do have some nasty side-effects. And those seem to get worse, the more transformation is allowed to happen in CloudFlare Workers and similar services.
Tldr: Someone can guess reasonably where you are by sending you a glitched friend request notification on your phone that tells the hacker what data center you’re closest to.
It is pretty clever but I wouldn’t call it full deanonymizing, should still get patched though.
good find by the tester.
Edit: used the term ‘glitch’ for simplicity of people reading, didn’t mean to upset people; I’m just an amateur.
It’s not even glitched, it’s working as intended
It’s not a glitched friend request notification.
It’s a native friend request that you make through discord. The vulnerability lies in the attacker making a unique pfp for each request, forcing the CDN to cache the pfp at the closest data center to the user.
I would agree that it’s not fully deanonymizing but it could resurrect tracking Elon and other billionaires.
I like how you see the positive in bad news 😃
.
My favorite part might be the conversation on the Cloudflare forum where a user reports the bug that makes this possible and it ends with this:
<img alt="" src="https://lemmy.world/pictrs/image/9078f68a-146c-4106-804b-f5e8ed4a57b1.jpeg">
😂
I don’t get it?
Why not just sending someone a link to an image on your website? You grab the IP address and are probably closer to the actual location with less work. Or would Signal proxy the image? Then, you need to just send a link. The user clicks (1 click attack) and you get the IP address…
Most platforms proxy media shared.
Then your proposed workaround is still 1 click more than the reported one.
yes, ok, but the 0 click reveals that I’m probably living in Germany (I just kind of doxed myself) and the IP can reveal the city or village I’m living in and if you cantact my ISP as law enforcement, you could probably find out my name and address…
But ok, the post is probably a bit of clickbait, because you can’t do much with the information you get from this method.