EXIF Data
What is EXIF Metadata?
EXIF stands for Exchangeable Image File Format. It is a record which shows the digital SLR camera settings used to take a particular photograph. This data is recorded into the actual image file. Therefore each photograph has its own unique data. EXIF data shows photo information such as camera model, exposure, aperture, ISO, what camera mode was used and whether or not a flash fired.
What is EXIF Exposure?
EXIF Data stores sensitive information like Geo-location, Date, Name of the camera, Modified date, Time, Sensing Method, File Source, Type of compression etc. in the photos you click. Now this data resides in the every photo you take using cameras. Whenever you upload a picture on a website and if the website does not strip these sensitive data then this could lead to sensitive data exposure like the Geo-location, Date of the photo, Time of the photo, Camera used etc.
Severity
- Automatic User Enumeration P3 severity
- Manual User Enumeration P3 severity
Exploiting EXIF Data Exposure
Find an entry point for uploading an image
Upload image containing sensitive EXIF meta data. You can find such images on https://github.com/ianare/exif-samples
Once uploaded, either Copy Image Address or Save the Image
Go to http://exif.regex.info/exif.cgi and paste the link or upload the image.
Click on View Image Data and it will give you the EXIF metadata of that image (if the data is not stripped by the server).