0-click deanonymization attack targeting Signal, Discord, other platforms

Original Article ↗ Hacker News Discussion ↗

What the attack actually does

  • Exploit uses Signal/Discord image attachments hosted on Cloudflare.
  • Sender uploads a unique image; victim’s client auto-downloads it (e.g., for previews/notifications).
  • Attacker later probes Cloudflare POPs to see where the image is cached (via headers, timing, or VPN probes).
  • This yields the Cloudflare datacenter(s) closest (in routing terms) to the victim, giving a coarse location.

How “deanonymizing” is this?

  • Many commenters argue “deanonymization” is overstated:
    • Typical accuracy ~150–250 miles, sometimes worse due to peering quirks or roaming.
    • POPs often serve very large regions and traffic may exit via a different country.
  • Others say even coarse country/region can be highly sensitive:
    • E.g., confirming someone is in a particular country, city cluster, or still “in-country.”
    • Repeated pings can reveal travel patterns and be cross‑referenced with other data.

Threat models and real-world use cases

  • For most users, threat model is “stop big tech from reading content,” not “defeat nation‑states.”
  • Several point out serious users (whistleblowers, dissidents, activists) might wrongly assume stronger anonymity from Signal.
  • Suggested uses:
    • Narrowing a suspect list when combined with travel/immigration data.
    • Detecting moles in groups by spotting out‑of‑region members.
    • Correlating multiple identities that move together.

Mitigations and app design choices

  • User-side:
    • Always-on VPN/Tor largely defeats the attack, though mobile VPN behavior (esp. iOS, sleep, push) is debated.
    • Disable media auto-download and rich previews; this turns 0‑click into 1‑click.
  • App-side proposals:
    • Don’t auto-download from unknown contacts or for notifications.
    • Disable CDN caching or use per-recipient encrypted blobs/URLs (trade-off: cost and complexity).
    • Existing padding of attachments (Signal dev confirms) doesn’t prevent this specific side channel.

Role of Cloudflare and CDNs

  • Some blame Cloudflare for exposing cache status/POP IDs; others note timing side channels would still exist.
  • Cloudflare reportedly patched the ability to target arbitrary POPs from Workers, but the attack can still be approximated via VPN-based probing.
  • Underlying issue is structural: centralized CDNs see IPs and metadata; law enforcement could subpoena logs.

Meta discussion

  • Many praise the technical work and write-up, but see the title and language as somewhat sensational.
  • Debate over whether Signal appropriately dismissed the report and whether its “privacy by default” marketing overpromises anonymity.