How images on Github will leak your private information

I was browsing a github repository where a guy posted its food travel pictures and while the pics were very appetizing, my mind wondered if there was information associated with the pictures he posted.

And there was data, A LOT OF DATA

By putting the URLs on , there was information about device, GPS data, time, software used, etc. I started searching on github for every place that would allow me to upload images that were vulnerable and the two locations I found were the Leave a comment functionality and the Social preview feature in the github repositories.

By doing futher tests I even discovered that images were not immediately deleted from the servers if uploaded from the comments interface but never sent. (Is this the new google photos?)

The following are the POCs I made in the hackerone report to show this behaviour:

Social preview:

  1. Create a repository
  2. Go to the repository settings page (i.g. )
  3. Upload a social preview image via the GUI that contains EXIF data
  4. Obtain the image URL by page inspection or other methods (i.g. )
  5. Use an EXIF viewer tool, such as and put the image URL on it
  6. Metadata will be shown

Github issues:

  1. Create a repository
  2. Create an issue
  3. Drop an image in the Leave a comment that contains EXIF data in textbox from your device
  4. Wait for the upload to be completed
  5. Copy the image URL (i.g. )
  6. Use an EXIF viewer tool, such as and put the image URL on it
  7. Metadata will be shown

How did github respond to the issue? Well…

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the finding we have determined it is a known low risk issue. We may make this functionality more strict in the future, but don’t have anything to announce right now. As a result, this is not eligible for reward under the Bug Bounty program.

Even though it’s a confirmed issue with other platform such as , github does NOT consider it to be an issue. Furthermore, it got closed as informative seconds after being reported (Such fast triaging!) but I had to wait a month to get a response about disclosure. (But they don’t disclose reports on hackerone )

Self-taught pentester, I try not to suck at python developing. I love lemon ghiaccioli. Geek and otaku af. 🇮🇹

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store