BOOK THIS SPACE FOR AD
ARTICLE ADHey guys, hope you’re doing well. Today I’ll be sharing about the first bug bounty that helped me start my career in bug bounty. It might be the breakthrough for many of the beginner hunters as well so keep trying and keep learning.
I started my bug bounty journey on Dec 2023 and this was the first valid bug i submitted and received a reward for. If the program accepts this kind of bug, you can find it pretty easily.
I did not do any extensive testing for this bug. I found it pretty easily. While i was surfing intigriti platform for hunting i came across a target. The target was an e-commerce application where user can register and buy products and business owner can also register themselves ans sell products. I thoroughly examined all the features and one feature caught my eye that was a chat feature where a user can inquire about a product and sellers can replay to it. It was a simple chat box but had a file upload feature.
Firstly, I tried to test for stored xss but there was proper measures in place so i was not successful. Second , i tried xss via file upload, did not succeed again. Next, i tried xss via filename, it was not successful either. Then i went to check the program description to see if there’s anything that they are wanting us to test but again i did not get any lead.
But, i realized that the out of scope policy for the program was different that other programs. They did not had the same out of scope policy. I read all the out of scope list and compared it with other programs, Within some differences one caught my eye
Not stripping metadata of files
It was not there in the out of scope of my target, so i wanted to test this and i looked up to the places i can upload images. I tried it with the chat feature that i tested before. I added some metadata to the images.
Photo metadata is the embedded information within a digital image file that provides details about the photo, including technical data, descriptive information, and copyright details.
Photo metadata often includes the following elements: Creation date, Author,File name, Content, Size in bits and pixels, Themes,GPS coordinates or other location information,Camera settings like ISO speed, shutter speed, focal length, and other details,Copyright information and more
View metafata with command: exiftool imagename.jpg
I used exiftool to add metadata to image.
exiftool -artist=John_Doe image.jpg
exiftool -Location=Street-1,Lane23,Kathmandu,Nepal image.jpg
exiftool is tool command , -artist is the metadata to add, and John_Doe is a dummy example of value to the metadata, and image.jpg is your file to add metadata}
After adding metadata, i sent the image from customer account to seller account. I logged into seller account and downloaded the received image. Once sent we can download from the sender’s account too. After downloading i checked the metadata of the downloaded image and the metadata i added to the image was still there , unchanged in any form so that was a valid bug.
I wrote a report and submitted it.
Summary: When uploading or sending images via message EXIF metadata is not removed or changed in any way.
Description: When communicating with anyone via chat message, the photos with EXIF metata on it. it isn’t stripped. This can lead to disclosure of location where photo was taken or other personal information by to anyone with the picture afterwards.
Steps to reproduce:
1. Login to any account.
2. Send a image file with EXIF metadata to recipient.
3. You can download the image via the recipient account or from the same account after the image has been uploaded and sent
4. Retrieve the metadata and observe the exposed information
Impact
An attacker could download public post images and find sensitive metadata. Some phones attach metadata with the** latitude/longitude** of where the photo was taken, user’s name device information which could leak important information, and it’s just best practice as well to strip all metadata from images when uploaded.
They accepted it as low and paid me a reward of 200 euro
After this bounty, I was very happy as well as excited. I then kept working hard to get more and more.
Thank You guys for reading all the way. Stay tuned for next writeup.
Connect with me: https://x.com/SugamDangal2