A Cloudflare CDN flaw that can expose some location data to an attacker was patched before being ethically disclosed, but the security researcher that discovered it says that the trick still works with the use of a VPN service and some extra steps.
The flaw can tell an attacker what airport code a target is closest to, something that gets them within about 50 to 300 miles of their actual location. The flaw is predicated on how Cloudflare stashes data at local centers to improve end user loading times, and can be exploited by simply serving the target with an image stored by the cloud giant.
Exposure of Cloudflare CDN response times enables rough geolocation tracking
The flaw does not allow an attacker to get specific location data, but it is relatively simple to pull off and could potentially tell someone when a target is moving from region to region. The problem exists in Cloudflare Workers, a platform used by developers to deploy serverless functions that run on the Cloudflare network and execute as physically close to a user as possible. The security researcher developed a custom tool called Cloudflare Teleport that can force requests through specific data centers, essentially testing the response times at each server location (labeled by regional airport code) to see which one reaches the target in the shortest amount of time.
The effectiveness varies depending on how many Cloudflare CDN locations are in the region; a larger amount means greater precision in accuracy, up to a range of about 50 miles at best. In rural regions the accuracy of the location data may drop to a range of about 300 miles. As the bug report notes, anyone living in a developed country is likely within 200 miles of a Cloudflare CDN server at any given time.
The security researcher, who goes by “Daniel,” privately notified Cloudflare of the bug in December 2024. The company paid a $200 bounty for it and patched it prior to public disclosure. However, Daniel says that the flaw can still be repeated by making use of a VPN service that offers a broad array of servers. The VPN can be used to probe Cloudflare CDN servers, with at least 54% of all global locations accessible in this way. Daniel says that this covers “most places in the world with significant population,” indicating that the attack is still viable.
Location data can be tracked via a “unique image”
When a local storage center receives a request for a resource that can be cached, like an image file, the Cloudflare CDN stores a copy of that file there for faster future retrieval. The attacker tracks the target by way of image files, and this can be an example of a “zero-click” exploit if an app uses a thumbnail of the image in its notifications. Two examples of apps that do this are Discord and Signal, both of which Daniel notified about the flaw; however, both rejected his report on the basis of it being a network-layer issue that is beyond their scope.
The rather small amount paid for the bug bounty and the seeming dismissal of the issue by multiple companies might indicate that it is not very serious. But while it cannot provide an attacker with specific location data, it is a very simple means of tracking movement in cases where something might already be known about the target. Roger Grimes, data-driven defense evangelist at KnowBe4, expands on the possibilities: “At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios, like those involving tracked dissidents, where it could be a problem. For example, if the agency that’s tracking you knows you’ve got safe houses in one of two countries but isn’t sure which you’re in, this sort of flaw might be interesting to them. Or I’m a woman trying to escape an ex-boyfriend and he’s not sure which relative or friend’s house I’m hiding out at. And the attack is just generic enough that I think it can be applied to more CDNs…I doubt Cloudflare is the only CDN with this sort of vulnerability. Also, kudos to the 15-year old kid that found and released this attack.”
Cloudflare CDN is among the biggest of its kind, but it is far from the only player in the field that could similarly be leveraged for location data; other prominent examples include Akamai, Amazon CloudFront, and Azure CDN. CDNs have become instrumental in ensuring zippy load times around the globe, and Cloudflare is among those that add extra security features such as DDoS protection (as of 2024 almost 20% of all websites are estimated to make use of its security services). But the location data incident also highlights the fact that they can introduce their own security flaws, and it is largely on individual sites and apps to ensure that they pick a reliable CDN and perform routine security such as checking the authenticity of files loaded from these services and monitoring any libraries or scripts drawn from them.
Advanced nation-state hacking teams have shown interest in CDNs as an attack vector and similar source of location data, with a team from an unspecified nation breaching Cloudflare in late 2023. The attackers broke into the company’s Atlassian server and managed to exfiltrate internal documents and some 76 source code repositories, some of which contained encrypted internal secrets. That attack was a follow-on making use of an access token and several service account credentials stolen during the October 2023 breach of Okta.
