A flaw in the Cloudflare CDN system that exposes a target’s location data has been addressed, but may remain usable via an alternate method involving a VPN service. This approach may also be repeatable with other CDNs, creating a potential new hazard for political dissidents, activists and journalists among others that may find themselves being followed.
15-year-old security researcher tracks down location data oversight
A 15-year-old security researcher named Daniel disclosed the Cloudflare CDN issue privately, and the company has addressed it after paying out a $200 USD bug bounty. But Daniel says that the technique can be repeated by making use of a third-party VPN service that has broad enough coverage.
The Cloudflare CDN flaw does not provide specific location data on a target, but can place them within about 50 to 300 miles by finding the content server closest to them. The delivery time of an image or other unique file can be traced to the device, demonstrating which server they are closest to. In developed countries, there is generally a Cloudflare CDN server within at least 200 miles at any given time.
This approach can also be a “zero click” attack if the image served to the user is displayed in a thumbnail in their notifications. Two prominent examples of apps that do this are Signal and Discord, but Daniel says that each rejected his bug report as they felt it was a Cloudflare CDN problem that was beyond their scope to address.
Flaw might be exploitable beyond Cloudflare CDN
The exploit of the Cloudflare CDN flaw appears to have been relatively simple. It did require the creation of a custom tool, but it hinged on a weakness in a platform called “Cloudflare Workers” used to deploy serverless functions. This platform was allowing requests to be forced through specific servers, which can then be systematically checked to see which delivers the image (or whatever tainted file) to the user fastest.
Though the method only provides rather vague location data, there is still reason to be concerned. Cloudflare CDN might still be exploitable via VPN services despite having addressed the flaw, and it’s possible that other CDNs of a similar size could also be weaponized in this way. Akamai is the world’s biggest, but others that have similar range include the ones operated by Google and Amazon, Microsoft’s Azure CDN, Fastly, and StackPath.
And while tracking someone to within 200 miles does not have a tremendous range of use cases, it could have some concerning applications. A political dissident or activist might be pinpointed as being in or out of their home country, or reasonably assumed to be at a known location in another country. Burglars might use it to determine when someone has gone traveling for an extended period. Or a stalker or abuser could use location data to determine when a victim has gone to be with family.
Unfortunately, the bulk of securing against potential CDN flaws falls mostly on the websites and apps that use them for content delivery; they need to pick services with a good reputation, but also regularly monitor them for issues like poisoned files, malicious scripts and general strange behavior.