Summary
- A member-only security story on the risk posed by uploaded images has been published in bug bounty hunter Sick Codes’ blog.
- The bug relates to the overlooked exposure of EXIF geolocation data in images; this data can expose user’s locations, devices and timestamps.
- Such metadata is often overlooked by developers, making it a hidden bug bounty gem.
- The story advises readers on how to detect such bugs, and why it is vital to sanitise uploaded files.
- EXIF (Exchangeable Image File Format) data is metadata stored in images such as JPG, PNG and TIFF, and can include device details, geolocation coordinates or timestamps.
This risk can be mitigated by ensuring that any location information is stripped before uploading images to websites or apps.