Tldr: Someone can guess reasonably where you are by sending you a glitched friend request notification on your phone that tells the hacker what data center you’re closest to.
It is pretty clever but I wouldn’t call it full deanonymizing, should still get patched though.
good find by the tester.
Edit: used the term ‘glitch’ for simplicity of people reading, didn’t mean to upset people; I’m just an amateur.
It’s a native friend request that you make through discord. The vulnerability lies in the attacker making a unique pfp for each request, forcing the CDN to cache the pfp at the closest data center to the user.
I would agree that it’s not fully deanonymizing but it could resurrect tracking Elon and other billionaires.
Tldr: Someone can guess reasonably where you are by sending you a glitched friend request notification on your phone that tells the hacker what data center you’re closest to.
It is pretty clever but I wouldn’t call it full deanonymizing, should still get patched though.
good find by the tester.
Edit: used the term ‘glitch’ for simplicity of people reading, didn’t mean to upset people; I’m just an amateur.
It’s not a glitched friend request notification.
It’s a native friend request that you make through discord. The vulnerability lies in the attacker making a unique pfp for each request, forcing the CDN to cache the pfp at the closest data center to the user.
I would agree that it’s not fully deanonymizing but it could resurrect tracking Elon and other billionaires.
I like how you see the positive in bad news 😃
It’s not even glitched, it’s working as intended
deleted by creator