Automatic User Enumeration

Automatic User Enumeration from EXIF Geolocation Data on Uploaded Images

Overview of the Vulnerability

Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to automatically enumerate users.

Business Impact

When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform.

Steps to Reproduce

  1. Use a browser to navigate to: {{url}}

  2. Download the user uploaded image

  3. Use the following software/script to automatically extract the EXIF geolocation data for multiple users:

{{Software}}

Proof of Concept (PoC)

The following screenshot shows the EXIF Geolocation Data:

{{screenshot}}

Recommendation(s)

The application should strip all metadata from images when they are uploaded to protect the privacy of its users.

It is recommended to encrypt sensitive data both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.

Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.

For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere

PreviousEXIF Geolocation Data on Uploaded ImagesNextManual User Enumeration

Last updated