When a user uploads a picture to example.com, the EXIF Geolocation Data of the submitted image is not stripped. As a consequence, anybody may obtain sensitive information about example.com users such as their Geolocation, Device information such as Device Name, Version, Software and Software version utilized, and so on.
Steps to reproduce:
- Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)
- There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .
- Go to Upload option on the website
- Upload the image
- see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )
- open it (http://exif.regex.info/exif.cgi)
- See wheather is that still showing exif data