EXIF Geolocation Data Not Stripped From brand logo in answerdev/answer
Mar 10th 2023
When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC.
Step to reproduce:
- Upload logo with EXIF DATA, or download from here. (https://github.com/ianare/exif-samples)
- Now right click on image and download it.
- Open on any EXIF data viewer online. like (https://jimpl.com/) and upload downloaded image.
This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on answerdev.