Details
Alert ID 10103
Alert Type Passive
Status beta
Risk Informational
CWE 200
WASC 13
Technologies Targeted All
Tags CWE-200
OWASP_2017_A06
OWASP_2021_A05
WSTG-V42-INFO-05
More Info Scan Rule Help

Summary

The image was found to contain embedded location information, such as GPS coordinates, or another privacy exposure, such as camera serial number. Depending on the context of the image in the website, this information may expose private details of the users of a site. For example, a site that allows users to upload profile pictures taken in the home may expose the home’s address.

Solution

Before allowing images to be stored on the server and/or transmitted to the browser, strip out the embedded location information from image. This could mean removing all Exif data or just the GPS component. Other data, like serial numbers, should also be removed.

Other Info

References

Code

org/zaproxy/zap/extension/imagelocationscanner/ImageLocationScanRule.java