Jay Taylor's notes

back to listing index

ExifLooter – finds geolocation info on all URLs and directories | Hacker News

[web search]
Original source (news.ycombinator.com)
Tags: security exif geolocation data-harvesting news.ycombinator.com
Clipped on: 2022-07-31

Image (Asset 1/2) alt=

Image (Asset 2/2) alt=
Looking through the code, this is mostly wrapper around exiftool.

I added remove metadata from images on exifLooter https://github.com/aydinnyunus/exifLooter

Yes. Added on READ.me

Thanks to fahrradflucht for contribution

So if I take a photo with my iPhone and upload the photo using a web form, does the website get the exif data (GPS coordinates) or does Safari strip that prior to upload?

The website gets it. Safari does not strip it.

IMHO that's the correct thing to do. Maintaining GPS coords is highly desirable when uploading photos to your photo storage solution. It would be very sad if they were all lost.

Most web apps (such as facebook, slack) will strip the exif data though, so you don't always need to worry about it.

Depends who you're worried about having the EXIF data. Sure Facebook strips the EXIF before rehosting the image for others to consume, but given Facebook's nature I'm certain they use the EXIF data to track you.

If you don't want Facebook knowing exactly where you were at a given datetime, you'll still want to manually strip the EXIF before uploading.

Or don't upload pictures to Facebook.

Seems like a nice feature of the browser would be to tell you when you’re uploading location data and offer to strip it.

That does sound nice, although it's probably only something we would like. I would imagine the vast majority of people would be like, "Wut" when the dialog popped up. Would make a killer extension though.

That *does* seem like it'd be a nice feature, and maybe even not that hard to implement. Mebbe some crafty developer could build a feature like that as a browser "add-on" / plugin.

It appears not. Safari appears to remove the GPS data when you upload. I tested it myself by uploading a photo to https://exif.tools/ and no GPS location was reported. The same image copied to my laptop and then checked locally with exiftool did have the GPS location.

Also see this thread https://apple.stackexchange.com/questions/326789/gps-exif-fr...

This is what I suspected. There were issues with iPhone photo rotation being incorrect after upload so you had to do it manually. I think this is because the EXIF data was missing.

I think people on this thread are confusing uploading in the browser with uploading via the Facebook app

To be clear, exif data was still present when uploaded (including the orientation data) but the GPS location had been removed. I think problems with photos being incorrectly orientated is more to do with the website not correctly interpreting (or completely ignoring) the relevant exif data.

Browser's does not strip the exif data but websites should remove the exif data. According to Bugcrowd’s Vulnerability Rating Taxonomy, severity of the vulnerability P3-P4 (medium-low) because the vulnerability leak GPS data of anybody.

Failing to strip exif is traditionally one of the first mistakes most new sites with photo sharing make. Browsers wouldn't strip it since it is useful information that's used by many sites. Sites that keep it on purpose just have the good sense to make revealing it optional or selective.

I believe the website gets it all.

I added remove metadata from images on exifLooter https://github.com/aydinnyunus/exifLooter

Could be useful for revenge porn dumps and AnonIB, newchan, etc. Lots of leaked nude photos still contain Lat Lon data.

How it is useful ? If victim takes the photo of herself/himself. This tool get the victim's location or metadata.

He forgot this wasn't /g/

Capture all images from your browsing using mitmproxy and auto pass to this could be fun. Have it log the source url, etc?

There is an extension on Burp Suite do exactly your idea.


why is spying on others "valuable" ? how is it not just obsession-material at the individual level and security-state building at the social level?

one existential answer to this is -- "security" must be constant by its nature. Over time, budgets, training and attention settle to a lowest-common-denominator of "security" while authorship, initiative, marks of individuality and evolution fall by the wayside in the murk of "responding to threats" .. while insecurity and overwhelm in an individual push towards addiction and obsession.

Basically, viewed one way, this hack tool feeds a public movement towards funding constant security while there are provable deficits of resources and attention in many directions.

As an American I heard stories of the "awful" East German communist state with Stazi informants, yet similar reinforcing dynamics seem to be in play now in the "free world" ..

I religiously strip metadata with ExifCleaner[0]. Thankfully old cameras don’t have GPS sensors, but with the new ones you have to be careful, including smartphone cameras. Metadata in images serves no other purpose than invading privacy. That and being able to sort media by location, time, etc

[0] https://exifcleaner.com/

> Metadata in images serves no other purpose than invading privacy.

That's not true as a blanket statement. If it weren't for gps metadata, photogrammetry[1] would be very difficult. I am able to make my own "google earth" type maps with a much higher degree of detail because I can fly my drone 100 feet over the land and take thousands of gps-stamped pics vs outdated google maps satellite imagery and then get them all stitched together to make a large GeoTIFF. All the processing is done on my PC using opensource WebODM[2], which can then be imported into opensource QGIS where accurate elevation data can be added. It also creates textured 3d models of the land and buildings which can then be imported into opensource 3d apps like Blender. It's been a huge boost.

I also like being able to show all of my various images on a map to see where they were taken.

[1] https://en.wikipedia.org/wiki/Photogrammetry

[2] WebODM quick 3D demo: https://www.youtube.com/watch?v=G3pMJR-L0Gk

> Metadata in images serves no other purpose than invading privacy

I don't upload my photos anywhere public. I keep metadata on so I can sort them by location. Uploading photos to the public web is really what is invading your privacy.

Exactly. It serves great purpose to me. I love being able to see exactly where a photo was taken. I have cherished vacation photos from many years ago and I don't remember where we were. When location data is there, I can pinpoint the exact trail or campsite, even when it was very remote. There are also photos of my kids where I'm not sure which house/area we were living in at the time. Location data solves this.

Since the location information can easily be removed but is extremely difficult to add, the clear solution to me seems to be to strip it when not wanted, and only upload your photo to trusted services. Most legit services will strip the info anyway (facebook, slack for example).

If you followed the story of Shia LaBeouf's "He Will Not Divide Us" where they used things like aircraft flight paths to find the location of a flagpole that moved multiple times, it isn't clear that stripping metadata will save you anyway. I assume anything that I post will leak the location for a dedicated enough person.

I added remove metadata from images on exifLooter


Thank you for your idea. I can add new parameter like "exiftool --image image.jpeg --remove" to remove all metadata from the image.

How does this differ from exiftool -all= image.jpeg? Would it actually _remove_ the data rather than overwriting it? The difference isn't apparent to me from the parent comment or skimming the exifcleaner site/readme.

Oh I type wrong. I mean adding remove parameter on my CLI tool like exifLooter --remove --image=image.jpeg

Why exiftool -all= image.jpeg is not enough ? or I think overwrite the metadata with the empty ones will be okay

What is the difference between exiftool --image image.jpeg --remove and exiftool -all= image.jpeg? It sounds like there is a benefit in adding the --remove flag but it's not clear to me what it is. Thanks!

I added remove metadata from images on exifLooter https://github.com/aydinnyunus/exifLooter

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact