alt Hacker NewsThis is certainly an "attack" but not one you'd normally associate with zero click. There is no code execution, but some tricks to see which Cloudflare datacenter cached the image -- giving a very rough area the user is in. Impressive and insightful nonetheless.
depending on the circumstance, the rough area might already be useful to adversaries of the person trying to hide. I wouldn't expect things like criminals etc. to suffer from this, 300 miles is a big radius for example... but if you want to know if 'the guy is still in country' or something like that (for instance law enforcement) it's useful for them. such parties could then collaborate with local resources to do further investigations. knowing which local resources in what area to enable might save a lot of 'costs'.
as you said, impressive and insightful. :D kinda feel like the docs on it were a bit chatGPT aided, they are super clear and full of 'certain sentences'. (this is totally an excellent use-case for that, so not bashing on it at all!).
nice read.