A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user might be in.

cross-posted from: https://lemmy.ca/post/37638868 !privacy@lemmy.dbzer0.com

This affects Signal too

An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117?ref=404media.co

Signal, an open-source encrypted messaging service, is widely used by journalists and activists for its privacy features. Internally, the app utilizes two CDNs for serving content: cdn.signal.org (powered by CloudFront) for profile avatars and cdn2.signal.org (powered by Cloudflare) for message attachments.

    • boaratio@lemmy.worldEnglish
      5·
      19 hours ago

      I’m not trying to wear a tinfoil hat, but Snowden clearly revealed that the government is easily able to purchase cellphone location data based on GPS and tower data more easily than they can go through the FISA courts.

      • ByteOnBikes@slrpnk.netEnglish
        2·
        14 hours ago

        Ah, thought you meant though metadata. Like a end user snooping through some obscure meta data method (even after cleaning) let’s you triangulate something.

      • Danitos@reddthat.comEnglish
        3·
        18 hours ago

        Your cellphone provider very likely already sells this data.

        I know mine does, because I attended a webinar of a buying company where they explicitly mentioned this.