Jump to content

EXIF Geolocation Data Not Stripped from Uploaded Images

Go to solution Solved by Marc,

Recommended Posts

We recently underwent pen testing and our forums got flagged because EXIF geolocation data is not getting stripped from uploaded images.  Is there a way to mitigate this?

Steps to Reproduce:

  1. Visit any topic and click the reply.
  2. Upload an image with EXIF Geolocation data, such as the attached sample image, in the reply box
  3. Now download the image. Use windows properties tool or any EXIF viewer such as exifdata.com, and check the metadata. Whatever was there when uploaded should be there when downloaded. Here, you will find that Geolocation Data is showing on the longitude and latitude section.

Business Impact:  When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform.


Could contain: Vegetation, Nature, Outdoors, Tree, Monastery, Countryside, Rural, Villa, Cottage, Shelter

Edited by Ben-gsp
Link to image
Link to comment
Share on other sites

Thank you for bringing this issue to our attention! I can confirm this should be further reviewed and I have logged an internal bug report for our development team to investigate and address as necessary, in a future maintenance release.


Link to comment
Share on other sites

  • 4 months later...
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...