this post was submitted on 21 Jan 2025
124 points (98.4% liked)

Technology

60704 readers
5261 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
124
Cloudflare Issue Can Leak Chat App Users' Broad Location (www.404media.co)
submitted 1 day ago* (last edited 1 day ago) by otter@lemmy.ca to c/technology@lemmy.world
35 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.ca/post/37638868 !privacy@lemmy.dbzer0.com

This affects Signal too

An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117?ref=404media.co

Signal, an open-source encrypted messaging service, is widely used by journalists and activists for its privacy features. Internally, the app utilizes two CDNs for serving content: cdn.signal.org (powered by CloudFront) for profile avatars and cdn2.signal.org (powered by Cloudflare) for message attachments.

you are viewing a single comment's thread
view the rest of the comments
[–] knighthawk0811@lemmy.ml 35 points 1 day ago (3 children)

i think this would be true of basically any large service that had multiple data centers. whichever one catches your data is the one closest to you.

the difficulty is accessing that data even if you can't read it you still have the closest location.

sounds to me like the Internet working as intended. if you want true privacy you need to take extra steps

[–] KairuByte@lemmy.dbzer0.com 9 points 1 day ago (1 children)

Not even guaranteed to be the closest data center. It’s not completely out of the ordinary for there to be a faster route available to a data center farther away.

[–] Telorand@reddthat.com 11 points 1 day ago

Agreed. Privacy is always a balance between your threat model and useability. If your general location is enough to put you in danger, hopefully you're already aware of how your data is being sent over the various networks and have measures in place to stay safe.

For most people, knowing very generally where they are isn't especially useful information to anyone with an interest in surveillance.

[–] azertyfun@sh.itjust.works 2 points 23 hours ago* (last edited 23 hours ago) (1 children)

On the one hand, deanonimization attacks are never entirely avoidable on unhardened targets and this one isn't particularly sophisticated and leaks relatively little information.

On the other hand deanonimization attacks are always bad and it's a good reminder to people of the risks they are taking. This is also slightly non-obvious behavior, even if it makes sense to the technically competent, as something like an IP grabber normally requires user interaction such as clicking a link. It's also a vector that CF might be able to mitigate by patching the ability to query a given cache directly.

[–] knighthawk0811@lemmy.ml 1 points 22 hours ago

they should be able to patch that as long as nothing relies on it working as is