Exif MetaData Leakage

It occurs when a user uploads an image in example.com, the uploaded image’s EXIF Metadata Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geo-location, their Device information like Device Name, Version, Software & Software version used etc.

Steps for Reproduction:

1) Visit this Repository. There are lot of images with metadata.

2) Upload the image to website.

3) Download the uploaded Image from website.

4) Visit this link to check whether exif metadata is not stripped or not. If not then you can report it.

Reference:

https://hackerone.com/reports/446238

https://hackerone.com/reports/906907

https://kathan19.gitbook.io/howtohunt/exif-geo-data-not-stripped/exif_geo