2025-06-20 With a plethora of enhancements and bug fixes, I have released the newest the Image Location Scanner and Privacy Scanner (ILS) plug-in for Burp and ZAP penetration testing tools. Now detects privacy leaks from newer Samsung & Sony cameras, HEIF image files are now supported, and processing is faster. Update to v1.2 of the plug-in in Burp’s BAppStore or ZAP’s Marketplace to gain the latest functionality and features. ILS passively scans for GPS location and other privacy-related exposures in images during normal security assessments of websites via plug-ins for both Burp & ZAP. It assists in situations where end users may post profile images and possibly give away their home location, e.g. a dating site or children’s chatroom. More information on this topic, including a white paper based on a real-world site audit given as a presentation at the NYC+NJ chapters of the OWASP organization, can be found at https://www.veggiespam.com/ils/. For sample images with embedded camera serial numbers or GPS location, see the GitHub Project Page. ILS software scans images to find the GPS information inside of Exif tags, IPTC codes, and proprietary camera tags (aka “Makernotes”). Then, ILS flags the findings in the Burp Scanner or ZAP Alerts list as an information message. It would be up to the auditor to determine if location exposure is truly a security risk based on context. Download today and enhance your security testing. Share this:Click to share on LinkedIn (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on Bluesky (Opens in new window)Click to share on X (Opens in new window)