Exif stands for Exchangeable Image File Format. Exif Data stores sensitive information like Geo-location, Date, Name of the camera, Modified date, Time, Sensing Method, File Source, Type of compression etc. in the photos you click.
Now this data resides in the every photo you take using cameras. I found this flaw in one of the private program on Bugcrowd. There two types of Exif Data Exposures :
- Automatic User Enumeration --> P3 (severity)
- Manual User Enumeration --> P4 (severity)
Automatic User Enumeration means the image you have uploaded is visible to public, for eg. Uploading an image in the comment section.
Manual User Enumeration means the image you have uploaded is not visible to other users, for eg. Uploading an image in the profile picture which is private. (Profile pictures can be public too)
Why this is a vulnerability ?
It can lead to sensitive data exposure like the Geo-location, Date of the photo, Time of the photo, Camera used etc.
Now lets take an example that their is a comment section which allows you to upload the images, a person named Bob uploads an image that contains the exif data. Now another user named Alice downloads the image and check for the exif data and she gets the Geo-location of Bob, now she will simply check for the coordinates in google map and she will get the exact location of that person.
How to find this vulnerability ?
- Go to any place where you can upload an image
2. Upload the image that contains the exif data (https://github.com/ianare/exif-samples) [Sample Exif Images]
3. Download the image again from where you uploaded
4. Go to http://exif.regex.info/exif.cgi and upload the downloaded image
5. Click on View Image Data and it will give you the exif data of that image (if the data is not stripped by the server).
How this vulnerability occurs ?
Whenever any image is uploaded the server fails to strip the exif data of the image and that leads to exif data exposure.
I found reported the issue to the company and the fixed it. They rewarded me with hall of fame.
Thank You :)
Instagram : jerry._.3