Insecure Storage of Sensitive Information in chocobozzz/peertube
Feb 27th 2022
Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)
Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.
Proof of Concept:- 1.Browse this link:- https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0012.jpg
2.Download the image Upload the picture on your profile and click on save.
3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )
4.Then open:- http://exif.regex.info/exif.cgi
5.Paste the URL (https://p.lu/lazy-static/avatars/683e95a1-c9d3-4c70-949d-b37a5525f8c2.jpg) of the profile image path now you can see the EXIF data.
Impact:- This vulnerability impacts all users on microweber. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on microweber.