We allow our mobile devices to collect a multitude of data about us in order to improve our everyday lives. We take it for granted; without that GPS data, how would we remember where we parked our car? But often, users don’t understand the extent to which they share personal details on public web applications – especially when it comes to their photos.
Modern cameras embed a variety of information in the photo, from the model of the camera to GPS coordinates. This information is stored in JPEG’s generic “Application Segment” and encoded via Exchangeable Image File format (Exif).
As web application developers and application security engineers, we can add a measure of security for users by finding and stripping out their data (even when users don’t realize they need to be protected). This post shares our open-source tool, Image Location Scanner, for automating GPS data discovery during security assessments.
A virtual education organization had teachers and students connect via a website with multi-user video chat infrastructure. Lessons occurred in-home or in-office and privacy is important to users. While students and teachers could login to the system and update their profile picture and browse their peers’ profiles, anyone could browse an instructor profile.
Let's look at an example instructor profile picture:
What can we learn about this virtual yoga instructor from this picture? Once we save the image to disk, we can use exifdata.com, readexifdata.com, or Preview on OS X, to get all sorts of information: camera settings, photo attributes and even GPS information.
With the GPS coordinates in hand, we can locate her street address. From there, using public data, we find her last name and even use Google Map’s Street Views to view her home. Users are often unaware that thier photos can make it easier for thier locations, habits and schedules to be tracked.
Finding Vulnerable Images
Luckily, not all images contain GPS information. In our testing scenario above, only 2.5% of images had GPS info. Some people didn’t upload the data; many images were manipulated, destroying Exif. But in a large website finding that 2.5% can be time consuming and image GPS detection is not quick or easy – nor is it guaranteed. To detect GPS data you must:
- Browse all user profiles.
- Copy images from Safari cache, ZAP history, etc.
- Filter profile images from chaff.
- Run “jpeg_exif_grep” for GPS.
Clearly, an automatic detection solution is in order.
In February of this year, I released ZAP & Burp plug-ins to automate the GPS data discovery during normal security assessments. They passively scan for GPS location exposure in images as a security professional tests during a website security assessment. This week we updated those tools to scan new types of files and scan for new types of tags and codes.
The plug-ins find the GPS information embedded within JPEG, PNG, and TIFF files looking inside of Exif tags, IPTC codes, and proprietary Panasonic/Lumix camera codes. The plug-ins flag the findings in the Burp Scanner or ZAP Alerts list as an information message. The auditor can then determine if location exposure is truly a security risk based on context.
The Image Location Scanner plug-in is available from in the Burp Extender’s BApp Store and from the alpha channel in the ZAP Marketplace.
Get the updated Image Location Scanner source code and more information at: https://github.com/aspectsecurity/ImageLocationScanner.
You should be aware of a few limitations to these plug-ins.
- They do not detect non-standard Exif GPS tag codes.
- Mechanisms to embed named locations (e.g., Statue of Liberty, 312 Elm Street) in free-form ways will not be detected.
While some may argue that it’s a user’s responsibility to strip out their data from images, these tools make it much easier to reduce an application’s risk profile which is our responsibility as developers and security professionals. Check out the tool – we'd love your feedback!