Ben-gsp Posted December 9, 2022 Posted December 9, 2022 (edited) We recently underwent pen testing and our forums got flagged because EXIF geolocation data is not getting stripped from uploaded images. Is there a way to mitigate this? Steps to Reproduce: Visit any topic and click the reply. Upload an image with EXIF Geolocation data, such as the attached sample image, in the reply box Now download the image. Use windows properties tool or any EXIF viewer such as exifdata.com, and check the metadata. Whatever was there when uploaded should be there when downloaded. Here, you will find that Geolocation Data is showing on the longitude and latitude section. Business Impact: When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform. Edited December 9, 2022 by Ben-gsp Link to image SeNioR- and My Sharona 2
Jim M Posted December 9, 2022 Posted December 9, 2022 Thank you for bringing this issue to our attention! I can confirm this should be further reviewed and I have logged an internal bug report for our development team to investigate and address as necessary, in a future maintenance release.
Solution Marc Posted May 9, 2023 Solution Posted May 9, 2023 This issue has been resolved in 4.7.10, which was just released. Please upgrade to that release if you are seeing this issue, and if you see any further problems, please let us know. SeNioR- 1
Recommended Posts