Exif metadata not stripped when creating new Issue and Merge Requests with Image Attachments via Email
HackerOne report #952786 by muthu199503
on 2020-08-06, assigned to @jbroullon:
Report | Attachments | How To Reproduce
Report
Summary
Gitlab provides an option where Issue and Merge Requests can be created via Email. When doing so if any uploaded attachment image in email contains Exif Geo-location metadata, it is not stripped from the image. Exif metadata will contain sensitive information like users geolocation data and device details. This leads to information disclosure.
Steps to reproduce
-
Go to gitlab.com -> Project -> issues -> create a new issue and upload an image with Exif metadata on it. Once the image is created, download and verify the exif data is removed from the image
-
Now move to the issues page and copy the Email address that used to create issues via Email
-
Send a mail with the above copied email address with an image which contains Exif metadata as an attachment. (Have added a sample image in POC )
-
Once the issue is created, Navigate to the issue page and download the image and you can see that Exif data is not removed from the image. To verify the image contains Exif data I used the following Web app :
http://exif.regex.info/exif.cgi
-
Merge Requests can also be created via Email and it is also vulnerable to the above bug. You can reproduce it by creating a merge request from Email feature with an image file as an attachment which has Exif metadata in it.
Impact
Exif metadata contains sensitive information like users geolocation data, device details which leads to information disclosure.
What is the current bug behavior?
For Issues which are created via Email if it contains image attachments it should be validated for any Exif metadata and should be removed
What is the expected correct behavior?
For Issues which are created via Email if it contains image attachments the Exif metadata is not removed leading Users sensitive information disclosure
Output of checks
This bug happens on GitLab.com
Impact
Exif metadata contains sensitive information like users geolocation data, device details which leads to information disclosure.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: