Pixel That Steals Data - I’m Invisible

Summary :

A vulnerability using which an attacker can obtain the information of all the users without their knowledge. He can steal his IP address, ISP, country name, city name, region, Device info, browser details.

This vulnerability can be found on the places where you have an option of uploading an image using URL eg. forums, discussion pages, comments sections, messages, fetching image using <img src=”URL”> tag etc.

How to find this vulnerability ?

1. Go to https://iplogger.org/invisible/ and generate an invisible image

2. After that a link will be generated, copy it and click on Logged IP’s

IP Logger

3. Now upload the image : 2 ways

i) Fetch image using web

Fetching Image - 1

ii) Fetch image using <img src=”URL”> tag

Fetching Image - 2

4. Now post it and wait for some time, as soon as people will start looking your topic you’ll get the IP addresses, country name, city name, region, Device info, browser details.

IP and other Info

Mitigation : Proxy all the objects from third-party resources and create a CSP. Although this is only one way of mitigation, their could be many.

Thank You :)

Instagram : jerry._.3

Happy Hacking ;)