EXIF Geolocation Data Not Stripped From brand logo in answerdev/answer


Reported on

Mar 10th 2023

When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC.

Step to reproduce:

  1. Upload logo with EXIF DATA, or download from here. (https://github.com/ianare/exif-samples)
  2. Now right click on image and download it.
  3. Open on any EXIF data viewer online. like (https://jimpl.com/) and upload downloaded image.


This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on answerdev.

We are processing your report and will contact the answerdev/answer team within 24 hours. 9 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 9 months ago
answerdev/answer maintainer validated this vulnerability 8 months ago


Rahul Parmar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in 1.0.8 with commit ac3f2f 8 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 8 months ago
to join this conversation