alt Hacker NewsEvery little bit helps.
You can plot the timestamps of every message, read receipt and emoji reaction, which gives you the timezone and hints at work schedule, commute duration and vacations.
Often people will post photos or have profile pictures.
Say you have a photo taken at a random mcdonalds. That'd be 36'000 locations. Imagine cloudflare location and timezone help you narrow it down to new mexico. That's 80 locations. Small enough that you can look at every single one using street view and check where the photo actually was taken.
Now you can subpoena the McDonald's cctv footage and figure out who sent that picture.
Replies
>Often people will post photos or have profile pictures.
>Say you have a photo taken at a random mcdonalds. That'd be 36'000 locations. Imagine cloudflare location and timezone help you narrow it down to new mexico. That's 80 locations. Small enough that you can look at every single one using street view and check where the photo actually was taken.
Sounds like the bigger opsec failure is posting the pictures, and the leaking the cloudflare POP only makes the search slightly easier.
You can almost certainly narrow down the McDonalds with a wide variety of things - this example is fairly contrived.
If you can see outside of the McDonalds for street view to be usable, you're almost certainly able to determine what country it is in, and potentially the exact location, depending on what is visible outside.
If it's a picture that shows the menu, well, street view isn't likely to be super useful, but you'd have a trivial time figuring out what country it is in at that point - menus vary from country to country, even when they are still in English.
New Mexico has relatively few McDonald's restaurants because New Mexico has a fairly low population - only 2.1m for the whole state. With that in mind, it seems unlikely that that Cloudflare has a close enough POP for you to be able to specifically decide it's NM.
If I can see enough for Street View to be able to confirm location, it seems like I can just search via the data there and get far more narrowed down results. If I can see a Burger King and a Best Buy outside from the picture, I can just use one of the many mapping services with APIs to get a list of all McDonalds locations within a tenth of a mile of a Burger King and Best Buy and look through a smaller list. If I'm confident of the time zone, like you suggest we should be able to be, then that's an even smaller list.
I'm not saying this attack is useless by any means, but I don't see a world where the sharing of the pictures to begin with isn't the most significant opsec failure and doesn't open you up to being de-anonymized in a myriad of other ways.