.png)
2 months ago
43 BOOK THIS SPACE FOR AD
ARTICLE AD
Hellooo hackers 👋👋 I hope you are doing well. In this blog I’m gonna tell you how I found exif metadata leak and earn a little dollar bounty 💲💲
Story begins here:
One day was hunting on a bug bounty program and I couldn’t find anything as I’ve spent almost three or four days. So, that time one of my colleague told me about the exif metadata leak vulnerability. Also he gave me methodology to hunt for this vulnerability.
So, today l’m gonna tell you how you can also hunt this vulnerability.
First of all let’s understand what is exif metadata according to chatgpt : )
EXIF metadata (Exchangeable Image File Format) is information embedded in image files, typically captured by digital cameras or smartphones. It includes details like the date and time the photo was taken, camera settings (such as shutter speed, aperture, and ISO), GPS location, and even the device model used. This metadata helps in organizing, editing, and understanding the context of images, but it can also reveal sensitive information, like the location where a photo was taken, so it’s often important to review or remove it before sharing images online.
I hope you understand that.
So, now let’s hunt for the vulnerability.
First of all when you see any image upload functionality that time try uploading image which has already exif metadata in there.
Here you can download images like that.
Second steps you can do that is that after uploding the image, opens it in the new tab and then copy the URL of the image and paste it in the jimple.com or you can basically install the extension called exif viewer pro.
Now after installing the extension, all you have to do is the right click on the image.
There you will see show exif data as shown in the above image. Now when you click on that you will see the information which are being stored in the image.
If the same information you are seeing on the web application when you upload this kind of image. So congratulations 👏 👏 you found the exif metadata vulnerability.
I did the same process which I mentioned above, then make the poc of it and reported it and got small bounty from that.
I hope you learned something new from this blog. If you learned or liked my blog you can show some love by hitting clap 👏 👏 👏 button as many times as you want ; )
Here is my Linkedin.
Meet you with the new writeup, Happy Hacking ❤️❤️🙌🙌
Bengali (Bangladesh) · 
English (United States) ·