Fedotkin Zakhar - Reveal the unseen: Getting access to data with graphic file editing libraries
Published at : 23 Dec 2020
There is a wide variety of standards that allow adding additional info (commentaries) to media files. EXIF (Exchangeable Image File Format), Adobe XMP (eXtensible Metadata Platform), and PNG Text Chunks are but a small part of them. They are supposed to help add info about a copyright holder, date and time. But does the theory match reality?
With this report, we are going to overview widely-known tools that enable metadata extraction in the context of BugBounty websites and elaborate on the ways to automize the process.
It has been two years already since ImageTragick put the community into a flutter. Still, developers tend to trust the procedure of converting images of a user to the library. What data can an attacker pilfer without using external libraries? What is CVE-2018-16323 all about? How can one exploit the vulnerability? We will demonstrate all these to you through the case of a real web application.