High School Student Discovers CloudFlare Vulnerability in Discord and Signal
A high school junior on github, hackermondev uncovered a deanonymization attack capable of determining a target’s location within a 250-mile radius—without the target ever knowing. This attack exploits caching mechanisms in content delivery networks (CDNs), such as Cloudflare, to reveal geolocation data based on the datacenters handling user requests.
How the Attack Works
Cloudflare – one of the biggest CDNs, caches resources close to users to enhance speed and performance. By analyzing cache responses, including HTTP headers that reveal the nearest datacenter, an attacker can infer a user’s location with alarming precision. Apps like Signal, Discord, and others—widely used for their privacy features—become unwitting conduits for this vulnerability.
The attack extends to push notifications. When apps send attachments or user avatars as part of notifications, devices automatically download these resources, caching them locally. This creates a zero-click vulnerability – i.e. your location data could be exposed simply by receiving a notification from Signal or Discord.
Real-World Implications
Journalists, activists, or anyone relying on privacy-centric applications like Discord or Signal could have their approximate location exposed through this attack, compromising their anonymity.
Despite responsible disclosures, hackermondev claims Signal and Discord downplayed the issue, framing it as a CDN-level or customer problem. Cloudflare patched a related bug but maintained that preventing these attacks is the responsibility of its customers, and the researchers was able to recreate the vulnerability even after Cloudflare partially patched it.
Staying Protected
While CDN caching is fundamental to internet performance, it carries inherent risks. Users that are concerned about their approximate location being exposed via their Discord / Signal accounts should implement a VPN urgently – resulting in the exposed location being a proxy, rather than the user’s real location. Additionally;
- Limit exposure through app settings, such as disabling push notifications for sensitive apps.
- Advocating for stronger security measures in the tools and platforms they trust.
For companies, disabling CDN caching for sensitive resources can help safeguard user data.
Awareness is Critical
The interconnected digital ecosystem offers immense benefits but also creates vulnerabilities and entry points for bad actors to exploit. Awareness is the first step toward protection.
For those handling sensitive information or in high-risk roles, vigilance is paramount whenever integrating any third party technology (like cloudflare) into your product or business. Understanding potential entry points, and trying to minimize their accessibility should be a focal point for any piece of software touting themselves as privacy-first, or privacy-conscious.
If you want to learn more, you can read hackermondev’s full research write-up here.
Redact.dev is committed to helping users minimize their digital footprints and protect their privacy. With automated tools to clean up your online presence, Redact.dev helps you stay one step ahead in safeguarding your personal data. Try it today—because your privacy matters.