Packet Storm EXIF Data Disclosure

Vulnerability Description :-

When a user uploads an image in Vulnerability Description :-

When a user uploads an image in https://packetstorm.news, the uploaded
image?s EXIF Geolocation Data does not get stripped. As a result, anyone
can get sensitive information from https://packetstorm.news users like
their Geolocation, their Device information like Device Name, Version,
Software & Software version used etc.

Steps to Reproduce :-

1. Navigate to this url :- https://packetstorm.news/
2. Login with Valid credentials
4. Upload an image [ you can download metadata contained image from here
:- [ https://github.com/ianare/exif-samples/tree/master/jpg ]
5. After uploading , Right click on the image and open in a new tab
6. Copy the url of that image or Download the image
7. Navigate to this website :- https://exif.tools
8. Paste that link or upload the downloaded image there and check EXIF
Geolocation
Data Not Stripped From Uploaded Image
9. Please refer the proof of concept attached below for better understanding

Reference :- https://hackerone.com/reports/446238


Impact :-

This vulnerability is CRITICAL and impacts all the https://packetstorm.news
customer base. This vulnerability violates the privacy of a User and shares
sensitive information of the user who uploads an image on
https://packetstorm.news .



---
Packet Storm note:

2025/10/13:

A bad code push stripped a strip and exif data remained in some uploaded images. Our analysis shows only 0.004% of pics were affected and they have all been stripped to ensure no further exposure. This included pictures for 3 users (a packet storm admin one of them, the researcher the other, and a third pic that was not an accessible pic but rather a stored image on the backend that had been converted), along with an advertisement test image. We took the site offline during this process to mitigate further disclosure in case the issue was bigger. The primary vector of attack was addressed, tested, and pushed live. We would like to extend our thanks to Vaibhav Jain for reporting the issue.