An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.
Although the obtained location data is very coarse—in some of 404 Media’s tests it showed what city or state someone was in but did not provide more accurate information than that—the news shows the importance for some at-risk users to protect not just their message contents, but their network activity as well.
“It's more of an oversight in the way the mobile application works than a vulnerability in the actual code but regardless, I thought it should be fixed,” daniel, an independent security researcher who reported the issue to Cloudflare, told 404 Media in an email. daniel said Cloudflare has since fixed the specific issue his custom-made tool was using.