Metadata (e.g. EXIF) should be stripped from images used as project/group images
HackerOne report #446238 by ghjfgjggfdfhfgsdfssdf on 2018-11-17:
Summary: When uploading JPEG images as group logos on Gitlab, the EXIF metadata is not removed or changed in any way.
Description: When setting up a group on Gitlab, you can upload a logo, and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their group is public, as anyone can download the logo and check the metadata.
Steps To Reproduce:
- Upload a testing image w any EXIF tags filled in (you can test with the attached download.jpg image on this report)
- Make the group public
- Visit the group page unauthenticated and download the image
- Use Windows properties tool or any EXIF viewer, check the metadata. Whatever was there when uploaded should be there when downloaded, including the exact file name (though the file name part isn't an actual reportable problem, it's good practice to just encode/make it a random file name in case the user uploading forgets to remove personal information in the file name)
PoC
Check out my group: https://gitlab.com/gthgh Try downloading the logo. The metadata for it should show "egginfo" under Copyright.
Impact
An attacker could download public group logos and find sensitive metadata. Some phones attach metadata with the latitude/longitude of where the photo was taken which could leak important information, and it's just best practice as well to strip all metadata from images when uploaded.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!