Image Location and Privacy Scanner

Image Location and Privacy Scanner

Passively scans for GPS location and other privacy-related exposures in images during normal security assessments of websites. Image Location and Privacy Scanner (ILS) assists in situations where end users may post profile images and possibly give away their home location, e.g. a dating site or children's chatroom.

More information on this topic, including a white paper based on a real-world site audit given as a presentation at the New Jersey chapter of the OWASP organization, can be found at https://www.veggiespam.com/ils/.

This software scans images to find the GPS information inside of Exif tags, IPTC codes, and proprietary camera tags. Then, ILS flags the findings in the ZAP Alerts list as an information message. It would be up to the auditor to determine if location exposure is truly a security risk based on context.

Sample Findings

Configure the web browser to proxy through ZAP and then browse to a few sample sites to see Alerts being raised:

• MetaData Extractor's SampleOutput page contains some good images. (Note: For some URLs, you need a GitHub session cookie)
  • iPhone 4 shows GPS data.
  • FujiFilm FinePix S1 Pro has embedded IPTC locations and keywords.
  • Panasonic DMC-TZ10 shows proprietary Panasonic MakerNote tags including city, state, country along with facial recognition information, like the name and age of the person in the picture. ZAP screenshot is shown below.
• This professional photographer utilizes Exif & IPTC data in many of the full-sized (non-thumbnail) photos: Raia.com

Usage Notes

• Before ZAP 2.7.x, you must manually enabled image scanning with: Tools → Options → Display → "Process images in the HTTP requests/responses" for ILS to function at all.
• By default, ZAP hides images in the history, but ILS stills scan these images for findings. If an alert is triggered, then the image and its alerts will appear in the Alerts tab but not in the History tab. To show images in the history, both with alerts and without, enable with "Process images in the HTTP" as above.
• If you have image processing completely disabled via Tools → Options → Network → Global Exclusions → Extension - Image (née Global Exclude URL), then any passive image scanner, like ILS, will be unable to see the images and report on privacy issues - thus disuse this feature with images so ILS can function.