Image Metadata and Social Media
Today many Internet users frequently upload pictures to Facebook, Twitter, G+, Instagram, etc. and this can pose some severe security risks. It has become common practice to whip out your smart phone and upload pictures of your stuff, stupid things you and your friends are doing, etc. What is unknown to many users is that the images you are uploading often times contain potentially threatening metadata, the metadata we are particularly concerned with is descriptive metadata . Descriptive metadata essentially “data about data contents” may contain information such as gps coordinates, phone make and model, etc. This information can be discovered very easily with basic metadata read, writing, and extraction tools such as exiftool (exiftool download) which could provide a would be attacker will several pieces of valuable information. Social media services, in particular Twitter and Facebook also have established practices in which users update their followers/friends with their current activities. If you combine a photo of a desirable object (without removing dangerous metadata) and tell the world your not home you are inviting attackers.
An example of how simple and effective this attack is illustrated through pictures. I simply googled for a blog post about pictures take from mobile phones and ran across some android forums. The first post I viewed was a picture of a user’s new car, and I proceeded to download it.
Thirty seconds later I ran exiftool and as guessed the picture contained lat/long/alt coordinates, phone make and model, the programs he used to edit the photo, etc. (Photo has truncated output)
I could have then plugged the coordinates into google maps and reveal the street address of the vehicle. With this information and the information the user provided about himself like his name, I could do a phone lookup. Now after two minutes I know the users name, wireless carrier, and any listed phone numbers. If desired one could begin to attempt to social engineer their way into finding out the user’s email address or far more harmful information. So the long and short of it, is to be careful what your uploading you are giving out far more information than you think.
