Exif Data Exposure

Summary :

Exif stands for Exchangeable Image File Format. Exif Data stores sensitive information like Geo-location, Date, Name of the camera, Modified date, Time, Sensing Method, File Source, Type of compression etc. in the photos you click.

Now this data resides in the every photo you take using cameras. I found this flaw in one of the private program on Bugcrowd. There two types of Exif Data Exposures :

  1. Automatic User Enumeration --> P3 (severity)
  2. Manual User Enumeration --> P4 (severity)

Automatic User Enumeration means the image you have uploaded is visible to public, for eg. Uploading an image in the comment section.

Manual User Enumeration means the image you have uploaded is not visible to other users, for eg. Uploading an image in the profile picture which is private. (Profile pictures can be public too)

Why this is a vulnerability ?

It can lead to sensitive data exposure like the Geo-location, Date of the photo, Time of the photo, Camera used etc.

Now lets take an example that their is a comment section which allows you to upload the images, a person named Bob uploads an image that contains the exif data. Now another user named Alice downloads the image and check for the exif data and she gets the Geo-location of Bob, now she will simply check for the coordinates in google map and she will get the exact location of that person.

How to find this vulnerability ?

  1. Go to any place where you can upload an image

2. Upload the image that contains the exif data (https://github.com/ianare/exif-samples) [Sample Exif Images]

3. Download the image again from where you uploaded

Downloading Image

4. Go to http://exif.regex.info/exif.cgi and upload the downloaded image

5. Click on View Image Data and it will give you the exif data of that image (if the data is not stripped by the server).

How this vulnerability occurs ?

Whenever any image is uploaded the server fails to strip the exif data of the image and that leads to exif data exposure.

I found reported the issue to the company and the fixed it. They rewarded me with hall of fame.

Thank You :)

Instagram : jerry._.3

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store