Deanonymisation Through the Back Door: How Cloudflare's Cache System is Being Exploited

Cloudflare and CDN

Cloudflare is a significant player in the CDN space, providing services that optimize the delivery of web content and enhance website performance through caching mechanisms. With its extensive network, Cloudflare stores cached resources such as images and web pages in various data centers worldwide that are located near users, thereby minimizing server load and improving access times.

To this end, Cloudflare operates a vast digital infrastructure in over 330 cities worldwide, significantly distinguishing itself from competitors like Amazon CloudFront or Akamai.

The Attack

Daniel shows a Zero-Click De-anonymization Technique that allows the determination of user locations within a radius of about 400 km. By exploiting Cloudflare's caching system, the attack utilizes the elements cf-cache-status and cf-ray within HTTP headers to identify the nearest data center and indirectly disclose the approximate location of the user.

1. An attacker would cause a user's device to load a resource from a website provided by Cloudflare.
2. By identifying which data center cached the resource, the attacker could infer the general location of the user.
3. To achieve this goal, Daniel developed a small tool called "Cloudflare Teleport": Since it is not possible to send HTTP requests directly to any Cloudflare data center, he used Cloudflare Workers to query all data centers sequentially.

Signal: From 1-Click to 0-Click

Daniel successfully verified the attack vector in the Signal App:
When a user sends an attachment (e.g., an image) via Signal, it is uploaded to cdn2.signal.org, which is operated by Cloudflare. Due to the caching enabled for these URLs, an attacker can use the described cache geolocation method to ascertain the recipient's location.

With push notifications, the attack becomes even simpler:
For the "1-click method" to work, the user must open the Signal conversation. However, with push notifications enabled, this is no longer necessary, as the attack can be carried out without any user interaction. Once a notification is sent to the device, the Signal app automatically downloads the attachment from the CDN.

Daniel also managed to successfully apply the same attack vector on Discord.

Reaction

Daniel dutifully reported the mentioned vulnerability to the affected platforms.
At Signal, he was told that it was not their responsibility and that users should take steps to conceal their identities. A bold statement for a platform that supposedly prioritizes privacy.

In contrast, Cloudflare reacted to the reported bug that allowed the "Cloudflare Teleport" tool to directly query data centers and fixed the vulnerability. Interestingly, the same bug had been reported a year earlier by another reporter through the HackerOne program. At that time, however, there was no response as no active attack scenarios were known. Despite the corrections made, Daniel's tool can still be implemented in such a way that the attack remains possible under certain conditions when using a VPN.

Although many would not consider this attack a classical form of "de-anonymization," the real danger it poses in certain scenarios cannot be underestimated. A well-known example is the founder of Silk Road, Ross Ulbricht, who inadvertently revealed his time zone – a detail that helped U.S. authorities narrow their search radius to the United States. Similarly, such an attack vector could be used to ascertain the location of journalists researching in authoritarian states, which could significantly jeopardize their safety.

This case underscores the increasing complexity of our digitally connected world and highlights the importance of continuously adapting and improving security measures.