Techlore on Nostr: A researcher has shown how they zero-click exposed user's locations of most messaging ...
A researcher has shown how they zero-click exposed user's locations of most messaging apps, including Signal and Twitter/X. Here's what you need to know 🧵
First, this issue exploited Cloudflare's CDN. An attacker only needs to send an image in order to obtain a very coarse location based on delivery timing of the message. This requires no involvement from the victim, so it's 0-click. Cloudflare has since fixed the issue.
Published at
2025-01-21 17:28:08Event JSON
{
"id": "c4dc165ab6f8ff17d76be4f4c62dd060b7c38dab1c3124967436d226e86cf98a",
"pubkey": "2a7289d919cdd3d29b7d26075d50730e5e29bb266029894f9d32d0cffea8843f",
"created_at": 1737480488,
"kind": 1,
"tags": [
[
"imeta",
"url https://media.social.lol/media_attachments/files/113/867/521/250/892/118/original/926c7ffad148aadd.png",
"m image/png",
"dim 1176x996",
"blurhash U37-{9-[C8Rpy0M;V#oaGWRq+Ze=xTj=XNW="
],
[
"proxy",
"https://social.lol/users/techlore/statuses/113867521270444213",
"activitypub"
]
],
"content": "A researcher has shown how they zero-click exposed user's locations of most messaging apps, including Signal and Twitter/X. Here's what you need to know 🧵\n\nFirst, this issue exploited Cloudflare's CDN. An attacker only needs to send an image in order to obtain a very coarse location based on delivery timing of the message. This requires no involvement from the victim, so it's 0-click. Cloudflare has since fixed the issue.\n\nhttps://media.social.lol/media_attachments/files/113/867/521/250/892/118/original/926c7ffad148aadd.png",
"sig": "2bbfb17f00ecd1f652fffa191dac40196b15645e4afcee7b2b170c98432b01920de01606c1c6c5e11d325a0542de5b082280920302463f37e8758a35327229cb"
}
