Hello people. Here’s another blog; this one is another bug you can find real quick.
This one I found on a website which has profile photos of accounts, and where the photo you upload does not strip the EXIF metadata and had geoloaction data gettable from the photo.
Press enter or click to view image in full size
So the thing that happened is I was checking out the application, i setup my account there and added a photo for my profile, and I got to know that the profile picture URL looks like:
https://subdomain.redacted.com/Accounts/somedirectory/[email protected]/ProfileImages/imgfile.jpgThis was the point I thought, what would happen if this were publicly accessible, and I copied the link and pasted it in a private window, and it was publicly accessible.
So I confirmed that I can check for EXIF data not stripped, so I went to the website to check for EXIF data from the img :
https://exifinfo.org/Press enter or click to view image in full size
I put the URL in here and got the EXIF data as it was getting stripped from the server side: