3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target’s phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds–and you wouldn’t even know.
I’m publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here’s how it works:
The actual story here is that this was done and written up by a 15-year old high school student. As such, I have to say: bravo, well done!
The claim to „deanonimization“ is stretching it quite far. At best, you could prove a known person (which you know how to contact) was indeed physically in a certain location. This can be useful, but it’s hardly deanon in the traditional sense.
it may not be a big deal for an average person but for a journalist or a political figure, it can cause big problems
If you can install another app on their phone already, then this really doesn’t matter.