Insecure Storage of Sensitive Information in erudika/scoold

Valid

Reported on

Apr 26th 2022


Description

When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.

Proof of Concept

  1. Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0010.jpg

  2. Download the image & Upload the picture.

  3. Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

  4. Then check the Exif Metadata of Image by CLI tool or any online tool.

  5. Paste the URL () of the profile image path now you can see the EXIF data.

PoC

https://drive.google.com/file/d/1uo8f4blKTZ110GFch-4XPIRPVtLHb7PP/view?usp=sharing

Impact

This vulnerability impacts all users on Scoold. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on Scoold.

We are processing your report and will contact the erudika/scoold team within 24 hours. a month ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a month ago
Alex Bogdanovski modified the Severity from Critical to Low a month ago
Alex Bogdanovski modified the Severity from Low to Critical (10) a month ago
Alex Bogdanovski modified the Severity from Critical (10) to Medium (6.5) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alex Bogdanovski validated this vulnerability a month ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski confirmed that a fix has been merged on 0d2dd3 a month ago
Alex Bogdanovski has been awarded the fix bounty
Alex
a month ago

Maintainer


Report is valid for Scoold Pro only. Scoold uploads files only to Cloudinary where EXIF is stripped.

to join this conversation