387 private links
Loading a ressource can deanonymise a user:
- Cloudflare CDN shares the nearest airport in its HTTP header Cf-Ray
- A favicon cache works: "Since everytime you load their site, your browser automatically downloads this favicon, this means a user from each one of this locations has visited the Namecheap.com site within the 5 minutes with the last visit from Tokyo, Japan.". So if you lead a specific content created only to target one user, you can know from which data center the content is loaded (and its nearest airport).
- As Signal uses Cloudflare caching for the attachments, the same attack can be exploited.
With an innocent-looking attachment, an attacker can deanonymize users and find their location within an approximate radius (tens of miles, depending of the datacenters).
It works only if the user clicks to download the attachment in this case.
- Push notification of Signal with an image can trigger the cache... So a 0-click exploit can exist.
If the target has push notifications enabled (which it is by default), they don't even have to open the Signal conversation for their device to download the attachment. [...]
An attacker can run this deanonymization attack any time and grab a user's current location without a single interaction.
A similar exploit can be used on Discord with custom emojis: the custom emoji is a custom content downloaded by one user.
Conclusion:
his attack can be used to track Signal accounts, correlate identities, find employees meeting with journalists and much more.
Any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken.
