0-click deanonymization attack targeting Signal, Discord, other platforms

"Luckily" my ISP is DTAG which has horrible peering with Cloudflare. So I'm routed through Warsaw (WAW) most of the time, even though there are multiple closer datacenters in Germany.

de-anonymization attack?

- The information extracted is a rough 250 mile radius around the user

- The attacker already has a way to contact the person (signal username / phone number)

Intersting reading, but also seems like technical clickbait.

Unfortunate that Cloudflare patched the issue enabling specific datacenters to be targeted. Would have been extremely useful for finding the location of servers behind Cloudflare.

> This would provide an incredibly precise estimate of the user's location.

Within ~250 miles of their location is not "incredibly precise"

Imagining the cloudflare datacenters as cachelines and this is just like a side-channel attack like spectre. Not as fine-grained but still cool stuff.

I'm sure this is nice to find what city/country someone is but not what I consider "incredibly precise"

I think its good for finding out if someone is still in a certain region. More like region identification not deanonymization.

I remember iOS not always respecting VPN's do these notification attachments get loaded through a VPN?

Would be very interesting to see how other IM behave with this:

For example: Jami - one of the most feature-complete, distributed IM...

Just by the fact he's expressing distances in miles, I can say he's from USA.

That's my 0-click deanonymisation.

Nice attack otherwise.

Anyone send Snowden a push notification? Would be interesting to see if he's still in Russia...

So the default option of using onion routes to hide your IP and location still works.

If you need to deanonymize a user who moves around a lot, this method makes sense.

Nice work OP, and congrats on HN front-page. Keep publishing or it never happened!

This is an extremely cool avenue of attack, I love the bot/demonstration.

Cloudflare's business model is fingerprinting as a service. Awesome.

Impressive write-up, especially for your age! Thanks for sharing :)

I think all these things are absolutely ridiculous.

I use alpine (the email client, not the Linux distro). Before that, I used pine.

Every single thing that gets loaded from anywhere on the Internet has to be the result of an action that I take. Nothing ever gets loaded automatically. I get to choose if I load the thing using the server that I'm connected to, or if I load it directly on my local machine. I know the implications of each.

The fact that programs, particularly ones that are supposed to be for the security minded like Signal, load anything by default, automatically, is just, well, naive.

I can't be the only person who thinks that people who don't think these things through shouldn't be working on apps and email clients. Sure, people would have a cow if their email client didn't load every frigging thing and run remote Javascript and so on, but in Signal? Really?

(end rant)

I see that this can be turned off. I will now tell everyone I know that uses Signal that this should, in fact, be turned off.

this highlights that the design of the protocols which are two decades old all need to be rethought

That's a 15 year old.

I can't even convince what the gouvernements are able to do. You could technically route signal over tor network but then even tor has vulnerabilities with it's C coding.

It's a classic timing attack. You can detect which Cloudflare datacenter is "closest" (ie. least network latency) to a targeted Signal or Discord user.

The speed of light is the main culprit here.

why is the picture not simply cached near the sender as opposed to the receiver?

is there any good reason for deciding this way on the part of Signal et al?

Great job, you're going to go far Daniel.

Surprised that was only worth 200 bucks.

why signal even have that side channel???

even matrix encode image and other data in the e2e p2p message flow

“deanonymization”

Hardly.

Amazing sleuthing but not deanonymization.

Pretty impressive work.

Presumably cloudfare will close the loophole for enumerating cache edges now.

this is pretty devastating for signal

very impressive findings

is simplex immune?

impressive

> it's possible for an attacker to run a cache geolocation attack to find out which local datacenter they're near--similar to how law enforcement track mobile devices through cell phone towers.

very much disagree on this, they track mobile devices through your connection strength to multiple cellular towers while this attack proves which singular datacenter the victim is nearest.

Don’t get me wrong the write up is really interesting but it does feel like the author is a bit of a sensationalist.

"Signal instantly dismissed my report"

"Telegram, another privacy-focused application, is completely invulnerable to this attack"

"Discord […] citing this as a Cloudflare issue other consumers are also vulnerable to"

"Cloudflare ended up completing patching the bug"

I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)

I guess I'm not so "crazy" for funneling all my Android's outbound traffic through a VPN that does two hops.

For being 15 year old, cool work!

But calling this de-anonymization is a stretch, if it can possibly pinpoint you within 250 miles (that's assuming geoip is correct too, which it rarely is).

In their GeoGuesser demonstration video, the higlighted area is densely populated and you still would need to match millions of people vs the online user.

It does provide some hints as to the location of the targeted user, and that is cool!

[dead]

[dead]

[flagged]

[flagged]