Internet users have a few weapons in their arsenal when it comes to disguising their location. Some have good reasons for wanting to do that, from making sure that activity cannot be traced back to them to watching streaming content that is available only in other regions, or paying less for certain goods and services.
Deanonymization attacks try to locate a user through various means. A simple one uses a device’s IP address to find out information about a user.
Deanonymization using Cloudflare
A security research has discovered a new method, one that does not require any user interaction at all. It relies on Cloudflare, which operates one of the largest content distribution networks and certain services, that use Cloudflare for caching.
The main idea behind the attack is this: Cloudflare caches content and there is a way to check cached content on Cloudflare. All you have to do is send a unique file to a user before checking Cloudflare caches for hits. Cloudflare does not cache the unique file in all datacenters, if it is accessed only by a single user.
As a result, you get a hit in a datacenter that is close to the user. Usually, it is the nearest datacenter. Cloudflare operates hundreds of data centers in the world. While that still means that you get a radius of a few hundred kilometers or more, you can still narrow down a user’s location, provided that no other means of disguising the location are used.
The researcher describes the attack using Signal and Discord. In Signal, there are two options. The first sends an image to a user, which requires that the target opens the conversation. If the target has push notifications enabled, this one-click attack turns into a 0-click attack, as the attachment is shown already as part of the notification. All it takes afterwards is to check CloudFlare datacenters to find the one that has cached it (first).
On Discord, users can use custom emojis if they have a Nitro subscription. They can show the custom emoji in their status, which means that anyone opening the profile of the user may have their approximate location checked using Cloudflare.
Combined with GeoGuesser, which is a private Discord bot, it could be used to narrow down a user’s location.
Closing Words
While the attack still means that a radius of several hundred kilometers is returned, it may be possible to combine this attack with others, or use it regularly.. The attack may provide important information on its own, but if done regularly, it could help identify a user who is moving around a lot (e.g. for work).
There is little that users can do to prevent this kind of attack. One option is to disable the auto-accepting of attachments and media, another the use of VPN servers or other means of disguise.
“One option is to disable the auto-accepting of attachments and media”.
Option? This is not an option, it’s a no brainer. People are so ignorant and, that is the real problem.
Yes, but I doubt that it is done by many users.
Do you think it will be long before services like Netflix will commonly employ this type of tactic to help further their anti-VPN agenda?
I noticed on LTSC versions of Windows that Location Services are turned off; does it make a difference? All turned off for apps as well. Oddly, the Geolocation Service runs.–maybe for time synchronization.
If successful (which it probably wouldn’t be, given my current config. has push notifications and auto-accept disabled) this would give the attacker my current VPN exit point within a few hundred km., not my actual location. This is not something I’m stressed about.
Nice work by the (15 year old!) hacker, however.