Pixel That Steals Data - I’m Invisible

Summary :

A vulnerability using which an attacker can obtain the information of all the users without their knowledge. He can steal his IP address, ISP, country name, city name, region, Device info, browser details.

This vulnerability can be found on the places where you have an option of uploading an image using URL eg. forums, discussion pages, comments sections, messages, fetching image using <img src=”URL”> tag etc.

How to find this vulnerability ?

  1. Go to https://iplogger.org/invisible/ and generate an invisible image

2. After that a link will be generated, copy it and click on Logged IP’s

IP Logger

3. Now upload the image : 2 ways

i) Fetch image using web

Fetching Image - 1

ii) Fetch image using <img src=”URL”> tag

Fetching Image - 2

4. Now post it and wait for some time, as soon as people will start looking your topic you’ll get the IP addresses, country name, city name, region, Device info, browser details.

IP and other Info

Mitigation : Proxy all the objects from third-party resources and create a CSP. Although this is only one way of mitigation, their could be many.

Thank You :)

Instagram : jerry._.3

Happy Hacking ;)

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How I hacked my university bus tracking app.

What Is the 192.168.1.1 Router IP Address?

🚀It’s started high APR :298% for depositing $IOTX & $XIM onto @cycloneprotocol ⚡️ https://t.co/5YNj

Twitter hacking sends companies scrambling for cybersecurity solutions

Exim UAF Vulnerability Analysis (CVE-2017–16943)

How to Prevent Unwanted File Recovery

Quantstamp audits Curve.fi

Privacy Tips

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

CSRF prevention: Control your TLDs

Parameter Pollution - Zero Day

WebAppSec: Parameter Tampering

Writeup: CSRF vulnerability with no defenses @ Portswigger Academy