I should have stopped when they announced they were a highschool student.

They didn’t reveal the actual identity of anyone. They did use cloudflare to approximate a target’s location, and made it slightly fancier by forcing the client to make the request with a push notification.

Companies have used similar approaches for decades. Almost every web interaction with a marketer approximates your location and ties that together with demographics via browser fingerprinting to get a good idea of who you are.

Sounds a bit clickbait:

allows an attacker to grab the location of any target within a 250 mile radius

So it’s a bit rough… In Europe it means basically which country the target is in. Also cloudflare servers are not evenly distributed in the world, so resolution can differ wildly worldwide.

With a vulnerable app installed on a target’s phone

So it’s not really zero click.

Sounds interesting though, nice writeup, but not as scary as it sounds from the title.