4

Recently while lurking around one of the social networking sites popular with local folks, I have found out that the site does not scrub out the GPS data from uploaded pictures. I've contacted them and told them about my concerns, but their reply was that they believe uploading images with (potentially) your home address is only a user error.

I've tried to argue with them, that because

  • A lot of the users like to post selfies on the site, so there are quite a lot of pictures
  • The userbase of the site contains a lot of teens and other potentially vulnerable people (to real life abuse if their home/work address would leak)
  • The site's API makes it very easy to search for selfies and other pictures
  • And finally once someone comments on your photo you cannot delete it anymore (so even if someone realizes their mistake they cannot fix it anymore, unless contacting customer support to remove the offending pictures). Even quitting the social networking site alltogether will not delete your already uploaded pictures that have comments on them.

this is something to be concerned about, but based on their reply they didn't think so, even after I showed them some of my findings, like the fact that using their API around 13% of the pictures have GPS information in their EXIF data.

To help raise awareness I created a (yet unpublished) blog post and an (also yet unpublished) open source application that uses the site's API to go over the pictures of a user, and tells them whether they are vulnerable or not. If they are, the app also suggest them that they should contact customer support and ask them to completely purge the offending pictures from the system (as that is the only way to get rid of them).

Unfortunately while I'm trying to make the app only return the bare minimum data (it only tells the user whether they are vulnerable or not, but doesn't plot the locations on a map or similar), I'm worried that a malicious person after realizing the hole could modify the app in a way that would allow them to easily plot the locations of people who have uploaded pictures with GPS data.

My questions are:

  • Is this actually considered a security risk, or are they right that this is just user error?
  • Is my approach of releasing a blog post and an application with it that can tell you if you are vulnerable or not the right one to do, since I couldn't get the developers to plug this hole?
  • Should I be concerned that if I make my findings public it can lead to a surge of malicious use, which I'm worried that could lead to real life stalking and abuse of some of the members of the site, or am I just worrying too much?
Anders
  • 64,406
  • 24
  • 178
  • 215
SztupY
  • 1,011
  • 6
  • 11
  • 2
    exif breadcrumbs are why the android sd card permission is a big deal to me. nerds know about this stuff, and either sanitize it don't care. make something that freaks people out if you want a reaction, make regular idiots demand action from the republisher. it could optimize while at it... – dandavis Oct 27 '16 at 03:15
  • I think this depends both on the kind of site and on the opinions of the users. Often locations can be found out based on the content of the pictures. And by uploading the pictures the users already provide lots of information about their friends, where they live etc. So having the EXIF with GPS, time, kind of camera... inside might actually considered just one more of the many information the user voluntarily shares. I therefore suggest to close this question because answers will be primarily opinion based. – Steffen Ullrich Oct 27 '16 at 04:37
  • @SteffenUllrich obviously it is hard to describe the site without exposing it's actual name, but basically you suggest that it's perfectly okay to keep this information available to everyone. – SztupY Oct 27 '16 at 06:49
  • @SztupY: No, I suggest that this is highly opinion-based question because one might argue that the users already provide lots of information about themselves so that adding time, GPS, camera type etc can be seen as just another information the user is willing to make public. But again, this depends on the kind of site, the kinds of users and their opinions. – Steffen Ullrich Oct 27 '16 at 07:05
  • To add to @SteffenUllrich comment: this also includes the site ToS (they may say that they keep the coordinates and that you accept that) and the legal context (what I just said may not be legal in some countries). – WoJ Oct 27 '16 at 08:29
  • @WoJ: checked the ToS, they only include they retain the camera information from EXIF, not your location. – SztupY Oct 27 '16 at 08:37
  • Is it possible if I spoof my information by uploading pictures using VPN and edit date, time and place watermarks on a picture? It is just a site anyway. If you are not using their app then they can't access your GPS location. – defalt Oct 29 '16 at 02:56

1 Answers1

3

Is this actually considered a security risk, or are they right that this is just user error?

Is my approach of releasing a blog post and an application with it that can tell you if you are vulnerable or not the right one to do, since I couldn't get the developers to plug this hole?

Should I be concerned that if I make my findings public it can lead to a surge of malicious use, which I'm worried that could lead to real life stalking and abuse of some of the members of the site, or am I just worrying too much?

The developers not wanting to fix it does not make the issue go away. Let's examine two possibilities for your first question:

If users of the site agree with the developers and don't care after it has been explained to them, there was no harm in your blog post, or in anyone else using your code.

If users of the site disagree with the developers and do care, they can now a) petition the devs to change their minds, b) stop using the site, c) implement scrubbing on their end, or d) take other actions to fix the issue. The issue was already present, so your blog post has lead to a better situation for those users. The only way this wouldn't be the case is if you're assuming no one else has, or ever will, discover the issue, and history says that's a poor assumption to make.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76