Insecure Storage of Sensitive Information in chocobozzz/peertube


Reported on

Feb 27th 2022

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)

Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.

Proof of Concept:- 1.Browse this link:-

2.Download the image Upload the picture on your profile and click on save.

3.Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

4.Then open:-

5.Paste the URL ( of the profile image path now you can see the EXIF data.

Impact:- This vulnerability impacts all users on microweber. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on microweber.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a year ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back a year ago
We have sent a follow up to the chocobozzz/peertube team. We will try again in 7 days. a year ago
chocobozzz validated this vulnerability a year ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz marked this as fixed in 4.1.1 with commit 0c058f a year ago
chocobozzz has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation