EXIF Geolocation Data Not Stripped From Uploaded Images
EXIF Geolocation Data Not Stripped From Uploaded Images (Manual User Enumeration)
EXIF (Exchangeable Image File Format) is a standard used to store metadata within image files. This metadata includes information such as camera settings, date and time of capture, and even geolocation data. Geolocation data, also known as geotags or geotagging, refers to the specific latitude and longitude coordinates where the image was taken.
In some cases, when you upload an image to a website or social media platform, the geolocation data embedded in the image's EXIF metadata is not automatically stripped or removed. This means that anyone who has access to the image can potentially extract the geolocation information and determine the exact location where the photo was taken.
In this Article :
- Manual User Enumeration Introduction
- Manual User Enumeration Finding & Reporting
- What is Impact
- What is Mitigations
Let’s start to details of a Manual User Enumeration vulnerability. We are going to about the basic description of the vulnerability and how to search for it.
How to Test Manual User Enumeration ?
STEP #1: Got to GitHub (https://github.com/ianare/exif-samples/tree/master/jpg/gps). There are lot of images having resolution (i.s 1280x720 ) , and also with different MB’s .
STEP #2: Visit any website, create an account go to image upload option in profile , upload the image.it's essential for users to be aware of the potential risks and take precautions when sharing images online. This includes manually removing or disabling geolocation services on their devices or using specialized software to strip the metadata from images before sharing them.
Impact :
The impact of not stripping EXIF geolocation data from uploaded images can have several implications both positive and negative
Geolocation data can also pose security risks. For example, if someone shares an image taken on a vacation, it indicates that their home may be unoccupied, making it an attractive target for burglaries. Similarly, geolocation data from sensitive locations, such as military installations or government buildings, could be exploited for malicious purposes.
On the flip side, not stripping geolocation data can enable targeted advertising based on users' whereabouts. Advertisers can leverage this information to deliver location-specific ads, promotions, or recommendations. While this may be beneficial for businesses, some users may find it intrusive or concerning from a privacy standpoint.
Report Format
I'm Career Technology Cyber security India a white security researcher from Mumbai, India found a vulnerability on your website i.e.:- https://www.exmple.com/
Vulnerability Name: EXIF Geo-location Data Not Stripped From Uploaded Images (Manual User Enumeration)
When a user uploads an image for profile, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of https://www.exmple.com/ their Geolocation, Device information like Device Name, Version, Software & Software version used etc.
1.Browse this link:-https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0010.jpg
2.Download the image and Upload the picture in the profile account (https://www.exmple.com/home/profile)
3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click,inspect the image, the URL will come in the inspect, edit it as HTML )
4.Then open:- https://jimpl.com/
5.Paste the URL (https://www.exmple.com/uploads/users_image/12589.jpg) of the image path now you can see the EXIF data.
This vulnerability impacts all users on Rocketlane. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on Rocketlane.
Strip all metadata from the image once it is uploaded into the application.
PFA of video for steps by steps guidance also help to regenerate the vulnerability
Career Technology Cyber security India
Indian Bug Hunter
Comments
Post a Comment