Pixel That Steals Data - I’m Invisible

Summary :

A vulnerability using which an attacker can obtain the information of all the users without their knowledge. He can steal his IP address, ISP, country name, city name, region, Device info, browser details.

This vulnerability can be found on the places where you have an option of uploading an image using URL eg. forums, discussion pages, comments sections, messages, fetching image using <img src=”URL”> tag etc.

How to find this vulnerability ?

  1. Go to https://iplogger.org/invisible/ and generate an invisible image

2. After that a link will be generated, copy it and click on Logged IP’s

IP Logger

3. Now upload the image : 2 ways

i) Fetch image using web

Fetching Image - 1

ii) Fetch image using <img src=”URL”> tag

Fetching Image - 2

4. Now post it and wait for some time, as soon as people will start looking your topic you’ll get the IP addresses, country name, city name, region, Device info, browser details.

IP and other Info

Mitigation : Proxy all the objects from third-party resources and create a CSP. Although this is only one way of mitigation, their could be many.

Thank You :)

Instagram : jerry._.3

Happy Hacking ;)

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Carros jogos de memória Hack Free Resources Generator

GitHub Recon - It’s Really Deep

Weekly Competition Winners (22 May – 9 June 2021)

How to Transfer Files and Settings From One Computer To Another

Who will be participating in the NIAX service?

Quickly Wipe an SD Card with ESP8266

Is WordPress Secure Enough to Use for Enterprise Websites?

So spy the CIA through your Smart TV or your mobile phone

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

XSS - The LocalStorage Robbery

The Basics of Subdomain Takeovers

Research on XML eXternal Entity Injection (XXE)-Cyber Sapiens Internship Task-10

Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports