EXIF Geolocation Data Not Stripped From brand logo in answerdev/answer
Mar 10th 2023
When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC.
Step to reproduce:
- Upload logo with EXIF DATA, or download from here. (https://github.com/ianare/exif-samples)
- Now right click on image and download it.
- Open on any EXIF data viewer online. like (https://jimpl.com/) and upload downloaded image.
This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on answerdev.
We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
A answerdev/answer maintainer validated this vulnerability a month ago
Rahul Parmar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
A answerdev/answer maintainer marked this as fixed in 1.0.8 with commit ac3f2f a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation