I really like the new centralized configuration feature of Cloudflare Tunnel. The recommended way to run a tunnel as a service on Windows is to use cloudflared service install <token>, where the token is a JWT that allows cloudflared to fetch the centralized configuration and run the tunnel.
The problem with this command, on Windows at least, is that cloudflared saves the token in the executable path of the service. Therefore, the tunnel token can be read by any user regardless of privileges, which is not necessary since the service runs as “system”.
To test this, run the PS command Get-WmiObject win32_service | ?{$_.Name -eq 'cloudflared'} | select PathName as an unprivileged user and you’ll see the token. This is a big issue since the origin of the tunnel is likely to be trusted by users, who will then send their RDP/SSH/HTTP credentials to whatever service is routed by the tunnel. If tunnel credentials are stolen, an attacker can steal whatever data is sent to the origin.
This token should be stored in a file that only administrators or the “system” user can read.