EXIF Geolocation Data Not Stripped From Uploaded Images
Vulnerability Category: A3-Sensitive Data Exposure
Vulnerability Description: When a user uploads an image to the application , the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc
Impact: This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image on application.
Recommendation: Strip all metadata from the image once it is uploaded into the application.
Severity : Medium
CVSS v3.0 Score: 5.3
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
How to Test:
1) Check for Image upload functionality in the application and once it is uploaded and hosted on the application platform
Tools to Use:
1) Use https://www.pic2map.com/
2) Use https://www.verexif.com/en/
Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it