How to track down your Ex(if)

Adding Jpeg Exif detection to your penetration regiment and learning how to practice Safe (s)Exif

Abstract: We unintentionally distribute GPS data with every photograph, including indoor pictures. This talk will describe a real-world scenario involving remote education site where teachers & students exposed their confidential home address via profile pictures. Two new ZAP & Burp plug-ins will be released to automate the GPS data discovery during normal security assessments. In addition, suggestions for websites to protect their users and to remove the GPS data will also be provided.

I gave this presentation about information security and privacy around images to the Organization of Web Application Security Professionals for the New Jersey chapter at the February 26 colloquium. I also released two pieces of software: plug-ins for ZAP and Burp. As promised, here are the slides, silent video, and links to the source code.

Slides in PDF are here: http://www.veggiespam.com/talks/ils-2015-02.pdf
Video in MP4 is here: http://www.veggiespam.com/talks/ils-2015-02-90sec.mp4 (subject to change; maybe YouTube)
Code on github: https://github.com/veggiespam/ImageLocationScanner

Thanks to the sixty-five of you who attended my talk. And thanks to the few of you who e-gifted me a coffee. If you haven’t done that and wish to keep me caffeinated, send do the gifting at starbucks.com/shop/card/egift using my the email of owasp <åt> veggiespam <døt> com. You can also send questions about the talk there too.

I will present more on this topic at a future date. Comments via email, the twitters @veggiespam, or in this blog are appreciated. Thanks.

-j

How To Track Down Your Ex(if)

Adding Jpeg Exif detection to your penetration regiment and learning how to practice Safe (s)Exif

Share this: