Beware of the meta.

>What you are about to read is common knowledge to a lot of people.

Certain file formats such as MP3, JPEG, PNG -the list is big to mention here- contain special fields inside them that store extra information.
The MP3 file format for example contains meta data for comments, title, artist, etc. Even if you move this file to another computer most of this metadata remains, all of these fields are usually predefined by the algorithm. You can check this by downloading a PNG -for example- file and opening it up with the hex-editor of your choice.  Depending on the file format you may find this info either on the top or in the bottom.

Anyway, keeping this in mind helped me a lot of time mostly about hacking challenges such as the Can you crack it? Challenge or B-Sides challenges not to mention that knowing file formats brought to life new exploits and of course vulnerabilities. It was even used in the Cyber Coalition of NATO some time ago with a PDF file.

This knowledge came in handy some time ago. Some people when they buy something new they NEVER read the fucking manual, neither they figure out how this brand new shiny thing works. They just learn the essentials to use it, neither how to maximize its effectiveness nor how to stay secure. When it comes to smartphones, they have a GPS device and guess what… By default they store the location of your photo, the height of the place the photo was taken, the device that took the photo and a lot of other useful information. Then they just upload the photo somewhere.

Accessing this information is not difficult and since most of these photos are made publicly available the first tool someone needs is a web browser. Using for a variety of reasons Firefox I found an add on named FxIF that shows the metadata of a picture and I was able to access a lot of information.

About this thing. This is a privacy infrigment but it is not the manufacturer’s fault, it is the problem of the owner because he just randomly clicks whatever pops up in his screen. There are available countermeasures but they are not applied everywhere. Facebook for example cleans the metadata from the photos, not sure if it stores them somewhere though which should be a NO NO.
Twitter on the other hand doesn’t.

The problem with that lies in the fact that by default it contains a lot of info that it is easy to locate someone or blow up your anonymity. Below is an example of a picture. The picture is taking by a guy who owns an iPhone 4, we know the date taken, where it was taken, a lot of information that we don’t need and we can locate the accurate position -yes I know where it was taken-. Problem is, this building is supposed to be secure and citizens -like me- shouldn’t know where suspects are held, in this case we know both the location of the building and in which floor the picture was taken.

 Beyond the obvious fact of privacy infringment this could lead to other, severe, information leakages and I guess there are companies and people that don’t want this. So, for your own good turn off GPS location when photoshooting.

Hint: This doesn’t happen only with smartphones, checked and verified that it happens with certain dSLRs too and to no surprise you have the choice to turn it off. Turn it off.

Leave a Reply

Your email address will not be published. Required fields are marked *