We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Insecure Storage of Sensitive Information in erudika/scoold

Valid

Reported on

Apr 26th 2022

Description

When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.

Proof of Concept

  1. Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0010.jpg

  2. Download the image & Upload the picture.

  3. Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

  4. Then check the Exif Metadata of Image by CLI tool or any online tool.

  5. Paste the URL () of the profile image path now you can see the EXIF data.

PoC

https://drive.google.com/file/d/1uo8f4blKTZ110GFch-4XPIRPVtLHb7PP/view?usp=sharing

Impact

This vulnerability impacts all users on Scoold. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on Scoold.

We are processing your report and will contact the erudika/scoold team within 24 hours. a year ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a year ago
Alex Bogdanovski modified the Severity from Critical to Low a year ago
Alex Bogdanovski modified the Severity from Low to Critical (10) a year ago
Alex Bogdanovski modified the Severity from Critical (10) to Medium (6.5) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alex Bogdanovski validated this vulnerability a year ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski marked this as fixed in 1.49.4 with commit 0d2dd3 a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
Alex
a year ago

Maintainer

Report is valid for Scoold Pro only. Scoold uploads files only to Cloudinary where EXIF is stripped.

to join this conversation