EXIF Geolocation Data Not Stripped From brand logo in answerdev/answer

Valid

Reported on

Mar 10th 2023

When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC.

Step to reproduce:

Upload logo with EXIF DATA, or download from here. (https://github.com/ianare/exif-samples)
Now right click on image and download it.
Open on any EXIF data viewer online. like (https://jimpl.com/) and upload downloaded image.

Impact

This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on answerdev.

We are processing your report and will contact the answerdev/answer team within 24 hours. 9 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 9 months ago

A answerdev/answer maintainer validated this vulnerability 8 months ago

https://github.com/answerdev/answer/commit/ac3f2f047ee00b4edaea7530e570ab67ff87cd6a

Rahul Parmar has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A answerdev/answer maintainer marked this as fixed in 1.0.8 with commit ac3f2f 8 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 8 months ago

to join this conversation