A researcher has shown how they zero-click exposed user's locations of most messaging apps, including Signal and Twitter/X. Here's what you need to know 🧵

First, this issue exploited Cloudflare's CDN. An attacker only needs to send an image in order to obtain a very coarse location based on delivery timing of the message. This requires no involvement from the victim, so it's 0-click. Cloudflare has since fixed the issue.