Concise tip: Always check for Exif metadata, particularly latitudinal/longitudinal metadata, on profile pictures/anywhere that images can be publicly shared on websites.
My report: https://hackerone.com/reports/446238
Full story: Exif metadata is a tool that can be utilized primarily on JPEG images to store information about the photo such as camera model, date and time of the photo being taken, copyright information, and even the latitude/longitude of the location where the photo was taken. Many modern smartphones actually attach this latitudinal and longitudinal data by default to images taken through their native camera apps unless otherwise specified by the user in settings.
This creates quite the privacy risk if a website does not properly handle the metadata; that is, if a website has a way to publicly share images via profile pictures, forum posts, etc. and they do not strip that Exif metadata from images shared on that platform. When you couple that lack of stripping metadata with the fact that most smartphone users do not realize that they are sharing the location data for that photo, it can lead to different scenarios disclosing the uploader’s exact home location or other data that they may not want to share such as phone model, etc.
When you’re testing on websites that have public profile pages with images on them or, better yet, forums, you should prepare a JPEG image with Exif longitudinal/latitudinal data attached to it and upload it to those different spots. If you can redownload it from that website and it still contains that Exif metadata, you’ve likely found a vulnerability. There are a couple exceptions, however:
- The site strips latitude/longitude but not other data. This is somewhat common as the copyright data may need to be preserved for legal reasons and no other data beyond latitude/longitude really gives away any possibly sensitive information.
- The original image with metadata is only accessible to the uploader. When redownloading, always attempt to do so when unauthenticated/authenticated on a different account to see if it is reproducible without being authenticated on the uploader’s account.
If neither of the above scenarios apply, congratulations! You’ve likely found yourself a vulnerability. One scenario that can also increase the severity is if the location where images are uploaded is obviously a place for images of the home. For example, maybe they have a forum topic that is home decor images. This would increase the chances of the latitudinal/longitudinal data being the home locations of the photo uploaders therefore increasing the amount of sensitive information disclosed.
Finally, a few tips. Be sure to check images attached to reviews, although some of these may not qualify due to the image host/review integration being third-party. Also if you don’t initially see the metadata, ensure that you’re viewing the original image. For example, if you right click and open the profile picture in a new tab, oftentimes there will be URL parameters or other modifiers changing the size/quality, etc. Try removing all of these modifiers and downloading that image.
Although the patch took a while, Gitlab eventually rolled it out and they were a great team to work with. Thank you to the whole Gitlab team and Hackerone triagers for a smooth reporting process. As Gitlab has specified in the summary, they are aware of tricks to bypass EXIF metadata stripping and are working to remediate these, but they do not consider this impactful enough for a valid report. This is likely due to the nature of this information disclosure coming from the uploader’s end therefore it would make no sense for an uploader to bypass and leak their own information.