3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target’s phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds–and you wouldn’t even know.
I’m publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here’s how it works:
it may not be a big deal for an average person but for a journalist or a political figure, it can cause big problems
A journalist or political figure can install a $5 VPN.
And even in their own example attack against the Discord CTO, their location got them down to 90% of the US. I could have guessed that without the attack.
If you can install another app on their phone already, then this really doesn’t matter.