How images on Github will leak your private information

And there was data, A LOT OF DATA

Social preview:

  1. Create a repository
  2. Go to the repository settings page (i.g. https://github.com/fuomag9/POC/settings)
  3. Upload a social preview image via the GUI that contains EXIF data
  4. Obtain the image URL by page inspection or other methods (i.g. https://repository-images.githubusercontent.com/305512860/cf5bea80-1260-11eb-9c8c-b3654d358e62)
  5. Use an EXIF viewer tool, such as http://exif-viewer.com/ and put the image URL on it
  6. Metadata will be shown

Github issues:

  1. Create a repository
  2. Create an issue
  3. Drop an image in the Leave a comment that contains EXIF data in textbox from your device
  4. Wait for the upload to be completed
  5. Copy the image URL (i.g. https://user-images.githubusercontent.com/1580624/96513784-f74c4d80-1262-11eb-94b9-3715dc68e388.jpg)
  6. Use an EXIF viewer tool, such as http://exif-viewer.com/ and put the image URL on it
  7. Metadata will be shown

How did github respond to the issue? Well…

--

--

--

Self-taught pentester, I try not to suck at python developing. I love lemon ghiaccioli. Geek and otaku af. 🇮🇹

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why you should use Open-source even if you aren’t a tech person

When Trying To Stop Bad Actors Stops Good Actors

Moving Your App to the Cloud

HackTheBox, web challenges: Lernaean walkthrough

Encryption : What it is? Why it is? How it is?

Welcome To BabyShark

PCI Compliance: What Is It, and Why Is It Important?

Defending critical infrastructure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
fuomag9

fuomag9

Self-taught pentester, I try not to suck at python developing. I love lemon ghiaccioli. Geek and otaku af. 🇮🇹

More from Medium

Log4Shell Exploitation (CVE-2021–44228)

Web Exploitation picoCTF: login

How To Mitigate The 3 0-Day Vulnerabilities In The NGINX LDAP Reference Implementation?

OWASP Top 10 — TryHackMe | Injections