0-click deanonymization attack targeting Signal, Discord, other platforms

It's also quite insidious as you don't need to control anything on any server to get this information; as long as you can get your target to load a unique URL never before loaded by anyone else, you can simply later poll it with an unauthenticated HTTP GET from different locations, and find which one reports a Cloudflare HIT (or, even if they hid that information, finding the one that returns with lower latency).

If you're allowing user uploaded content, and you use Cloudflare as a CDN, you could mitigate and provide your users with plausible deniability by prefetching each uploaded URL from random data centers. But, of course, that's going to make your Cloudflare bill that much more expensive.

Cloudflare could allow security-sensitive clients to hide the cache-hit header and add randomized latency upon a cache hit, but the latter protection would also be expensive in how many connections must be kept alive longer than they otherwise would. Don't do anything on a personal device or account if you want your datacenter to be hidden!

Note that CF will also route relative to the sites' plan. Enterprise sites are almost always routed to the closest DC, while if that DC is overloaded then lower tier websites, typically just Free sites, will get routed elsewhere (I suppose this is achieved via different anycast ranges where a specific DC is excluded). Although Discord, Signal, etc are almost certainly Enterprise sites.

I have this old site to test this (the list of sites is a bit old): https://cloudflare-test.judge.sh/

I doubt how useful it would be as an attack. As a single point of info it tells you next to nothing. As part of a composition of other indicators it would be the weak link in the chain probably just causing noise for the not un-likly scenario where the person you're targeting is using a VPN.

If it was any less specific we'd be talking about a deanonymization attack that outs whether or not a target is still on Earth.

Cloudflare does serve me from France. When I'm in Australia. (My ISP bought some IP addresses that were original regional France, back in the early 90s.)

So though this does have implications, the assumptions they utilise, like always, are not universal.

for "normal people", that's a pain, but with enough resources,...

Although. it has edge usecases even for "normal people":

Eg. you suspect your coworker to be catfishing you on eg. discord, you know that he's in your city now, verify, then wait for him to leave for a vacation to somewhere abroad, check again.

> Given Cloudflare's less-than-straight approach to sales, it is astonishing the words "secure" and "Signal" ever appear in the same sentence.

This is an overly binary take. Security is all about threat models, and for most of us the threat model that Signal is solving is "mainstream for-profit apps snoop on the contents of my messages and use them to build an advertising profile". Most of us using it are not using Signal to skirt law enforcement, so our threat model does not include court orders and warrants.

Signal can and should append some noise to the images when encrypted (or better yet, pad them to a set file size as suggested by paulryanrogers in a sibling comment) to mitigate the risks of this attack for those who do have threat models that require it, but for the vast majority of us Signal is just as fit for purpose as we thought it was.

I wonder if we'll see assets being padded to some common byte sizes to combat this.

>It gets more interesting when you think about the impact on groups. Sending an image to a group is enough for all devices associated with that group to be identifiable from CloudFlare's side,

Doesn't this open up the possibility to identify groups that have been infiltrated by spies or similar posers? If you use this method to kinda-sorta locate or identify all the users in your group and one or more of those users ends up being located in a region where you should have no active group members then you may have identified a mole in your network.

Just thinking out loud here since there's no one else home.

> , it is astonishing the words "secure" and "Signal" ever appear in the same sentence.

You misspelled "I do not understand what end to end encryption means"

you don't have to "befriend" them. you send a friend request because that defaults to a push notification for users with the discord app on their phone. Now, with signal, i don't use it so i don't know how initial chats start, or whatever. The discord one is 0-click because the PFP in the friend request is the payload delivered via PUSH.

And to someone else's point - they had to block the request on their end with a MITM to do the 1-click version on signal. No such MITM is needed with the friend request.

As an aside, one time i got doxxed hard in an IRC channel with several hundred active users. I had a suspicion of who it was, and i knew they lived in chicago. So i "accidentally" sent a link to "screenshot proof" that was hosted on one of my domains. there was 1 immediate click. instant. Chicago. "accidentally" because it looked like i pasted an email body.

Packed the real screenshot and a complaint to the ircadmin. they said "and so you dox them back?"

can't win for trying.

There's probably at least a few instances where you send someone you think is American a picture but it gets cached in Moscow, or vice versa. Or you post a meme to a Californian left-wing group and it gets cached in DC. Not hard to imagine situations where getting an unexpected rough location could be a valuable signal.

You can also ping the same person multiple times, like once a day at different time of the day. That provides a more complete range.

Not really.

Anyone who wants to conceal what continent they're on will also be using a VPN 24/7, or will have the proxy setup in Signal (AKA running 24/7), which defeats this.

I don't care if users see "my" ipv4 because cgnat. I think i don't care if they can see my ipv6 because each machine gets a /64 to itself, that's the logic, right?

But my PBX and my matrix server both use coturn. Our 10 user "private" PBX we have to VPN into a fortigate in a DC to use, but to my understanding, there's literally no way to eavesdrop on those calls without already compromising the server it's running on, and if that's the case, no extra VPN steps or whatever will help.

anyhow even with a real, publicly routable IP, stock windows 11, stock macos (used to be true), and most linuxes won't get compromised by stuff like backorifice or whatever else l0pht put out as "remote administration tools". that is, there usually isn't any listening ports on a public IP these days. Shield's Up!

Exactly. Especially when considering that Signal was often advertised as that *one* privacy friendly open-source messaging solution in a world dominated by data-collecting demons like WhatsApp, etc. I don't think even WhatsApp let's such status details leak; notwithstanding whatever they might be doing with the user data on the backend.

A VPN obfuscates this. Assuming a target is even remotely aware, you might think they are in Australia, while they're actually in Nova Scotia

> you would be surprised how quickly this adds up

Yes, but if social engineering is involved and tracing back through user conversations across a platform, it's hardly a vulnerability, let alone one deserving of a bounty. The way this is currently functioning is intended functionality, and can be further locked down depending on the user's threat model.

This can essentially be classified as opsec failure for the Signal user. If they're trying to hide from a hit in a 300 mile radius, they've got bigger problems to worry about, and should already be using a VPN setup.

Every time you click on a link your external IP addresses is exposed, is this a vulnerability? Being online without a VPN / proxy is inherent consent to have your external IP & other required items to be shared with services / middlemen.

When it comes to Discord, if you have this strict of a threat model and you're still using it, idk what to tell you.

Thank you! That's what I get for quick scrolling through the settings. I for sure thought it would have been under Privacy (for this concern), but that makes sense too.

hmm. I find the auto-download setting in the mobile app but not on desktop (mac). anyone know?

it looks like it can’t be disabled for view-once media (or at least, that’s what the settings screen says)

Haha thank you for doing the math! I was lazy and just added the populations and a plus at the end.

> The counter point is that anyone who cares about being anonymous is using methods to disguise their identity that cannot be compromised by this attack, e.g: a VPN.

Yes unless Apple is doing Apple things and ignores VPNs for things like push notifications…

https://x.com/mysk_co/status/1579997801047822336

I am not sure I understand what you mean by "trustworthy enough to send them notifications". Do you need anything other than one's phone number to send them a signal message?

How many people live in a 250 mile circle around their Cloudflare POP?

Which Cloudflare POP I hit depends on which RSP I use. In the country I live in, our biggest RSP peers with Cloudflare in a neighboring country (as it is much cheaper for Cloudfare to send traffic via that RSP's peering exchange there). So something like 40% of traffic will seem to be from a entirely different country than reality.

My RSP is a small RSP which until fairly recently only had two POPs in the entire country. So regardless of where you lived, customers of my RSP would have traffic exiting onto the internet via only one of two exit points. Rural users would seem to be coming from one of the two largest cities in my country even if they are easily >250miles way from their particular POP. They do peer with Cloudflare but obviously only at the locations where they and Cloudflare are in the same city (and I'm not sure this is the case -- it is possible all national traffic to Cloudflare traffic actually goes via the one POP in our biggest city).

The only reason this attack identifies the city I happen to be in is because I live in the same city as my little's RSP's biggest POP and Cloudflare happens to peer with that RSP at that POP. Where I am is a large city so doesn't narrow things down very much -- but even worse is that whoever is looking for me would actually need to look anywhere in my country.

I don't think I am an unique case as internet routing is rarely the most direct path for various technical, financial, political, etc reasons.

De-anonymization is definitely stretching the reality of what this 'attack' is capable of IMHO.

I think the more important question is how many people in the world don't live within a 250 mile circle around New York? An investigator could potentially cut their geographical search down by 95%+.

You don't need to live in a major city. Cloudflare is never going to set up a caching proxy for a hamlet in the desert; you'll always be part of a huge group that a given caching proxy serves. The attacker can be happy if they can narrow the recipient's location down as much as to a single country

Someone on GitHub called him out for making a Twitter account in 2017, since he'd have to be 8 years old at the time... I don't see what's so unbelievable about an 8yo making a Twitter account.

Interesting you touched on his age. I got extremely curious, why did the OP did such a flex?(assumming they are telling the truth). The first sentence is such a weird brag that it felt suspicious. The report is highly technical and extremely well written. We're either dealing with a pure genious or a fraud. But why would a genious flex? Doesn't make sense.

> Signal's default setup is more usability focused while supporting E2E

If images/attachments were e2ee, this problem probably wouldn't exist, right? or are the images on cloudflare encrypted?

Edit: I should clarify. I didn't mean the encryption itself fixes the problem, but rather that: If this were handled like the text messages we send (not via cloudflare CDNs) then this wouldn't exist. I get that attachments are quite some bytes bigger than text but shouldn't the security guarantees be the same?

Where does Signal claim that, or who decides what they're "supposed" to provide?

If wishes had wings, sheep would fly. People who want their computer to do a certain thing can also be expected to do a quick web search for how to make it do said thing. E.g.: hiding location? Use onion routing. Signal doesn't claim to hide your country (heck, they require your phone number!) so it seems wishful thinking to say they should have included e.g. a Tor client and enabled it by default

You would know if they are over a cellular network or checking on mobile.

If someone sends you a youtube link and you hit play, YT knows who you are, both from a network perspective and potentially the logged in user.

If you are using signal in a high risk environment, you should be using it from a system that contains no extra information about you. This is the same posture one should take when using Tor.

Basic opsec.

I don't think these kinds of things are in signals threat model. It is meant? as a message platform for people with nothing to hide?

Law enforcement could probably just ask cloudflare for the exact IP address that retrieved the attachment.

That caching is something you can turn off, at least for every CDN that I have worked with.

The Cache-Control http header has a `private` directive specifically to inform CDNs and similar not to cache the response.

Signal does cache them in a CDN. If the vulnerability was sending any link, you could just set up your own web server and get the person’s IP