You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We had a security researcher file a report for our helpy instance:
Vulnerability name: EXIF Geolocation Data Not Stripped
Vulnerability Description:
What is EXIF?
EXIF is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. Almost all new digital cameras use the EXIF annotation, storing information on the image such as shutter speed, exposure compensation, F number, what metering system was used, if a flash was used, ISO number, date and time the image was taken, white balance, auxiliary lenses that were used and resolution. Some images may even store GPS information so you can easily see where the images were taken!
Vulnerability Impact:
Metadata from the uploaded profile picture is not stripped off. As a result, image's captured GEO location, date, device used and other sensitive information is leaked. This information can be used for tracking people, gaining leverage on the devices.This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image.
Steps to reproduce:
Create an account and login
Go to settings and upload a profile picture.
Right click on profile image then view the image location and copy it.
Go to this URL http://exif.regex.info/exif.cgi and paste in the link and view the image.
All sensitive information is shown including device name and GEO location of image captured.
Remediation : strip the metadata from the uploaded images.
The text was updated successfully, but these errors were encountered:
We had a security researcher file a report for our helpy instance:
Vulnerability name: EXIF Geolocation Data Not Stripped
Vulnerability Description:
What is EXIF?
EXIF is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. Almost all new digital cameras use the EXIF annotation, storing information on the image such as shutter speed, exposure compensation, F number, what metering system was used, if a flash was used, ISO number, date and time the image was taken, white balance, auxiliary lenses that were used and resolution. Some images may even store GPS information so you can easily see where the images were taken!
Vulnerability Impact:
Metadata from the uploaded profile picture is not stripped off. As a result, image's captured GEO location, date, device used and other sensitive information is leaked. This information can be used for tracking people, gaining leverage on the devices.This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image.
Steps to reproduce:
All sensitive information is shown including device name and GEO location of image captured.
Remediation : strip the metadata from the uploaded images.
The text was updated successfully, but these errors were encountered: