How much Info does Metadata leak?
Metadata is a part of a file that contains overview/basic information about the file itself. The metadata usually contains pretty invasive information, or it could contain absolutely confidential ones, like I will demonstrate in this article.
People don't really give a damn about their privacy, and I will show you how devastating can a metadata leak be. Hopefully after reading this article you will realize how much danger the metadata can pose to your safety.
Privacy & Medatada
I took this file and added bogus metadata to it:
Don't worry all the metadata is fake, and it's for education/illustration purposes to show you how much can a photo leak about you. So let's see the following fictional scenario:
OK so let's suppose my name is John Doe, and I'm a trendy liberal from California, and I don't care about my privacy. I have uploaded a photo of my bedroom to Facebook, because why not? I also have a virus on my PC, because I surf a lot of porn sites, and to my bad luck, the virus embeds keylogged information into photos, to exfiltrate them from my PC in a covert way.
So here is my bedroom photo that I uploaded to Facebook in this scenario (it contains the fictional metadata):
So this is the picture file that has all the metadata. Download it and examine it for yourself. On the surface it looks like just another photo of a bedroom. And although it already gives ideas to potential burglars about my potential wealth and such, so it would not be a good idea to post bedroom pictures on Facebook, but John Doe is clueless, so he doesn't care.
Now if we examine the photo's metadata, here is where your mind will be blown:
First we have the basic file informations, that are specific to this format .jpg. It contains the last modification time, which means that the burglar knows when the file was uploaded, so he may know if you are at home or not.
Then it has a comment box that could contain any text, so the malware on John's PC can embed any information here.
Then we have the EXIF data, which contains general metadata. Our file contains the model of the device it was made with. John made the photo with a NIKON D5200 camera, revealing more info about John.
It also contains the GPS coordinates of the photo's origin, which means that a potential burglar knows now exactly where his house is, since the photo was taken in the bedroom. Now this data is embedded in almost every photography taken with a camera by default, so whatever you post online, they know where it was taken.
So a burglar can now visit you, if he sees that your bedroom has valuables inside it.
Now this is when it becomes scary. The XMP metadata can contain all sorts of information in it. Which may be sent by the camera, but it can also be sent by the malware. So if John has a malware on his PC, the malware can modify the photo and add all sorts of information in it, that the malware has collected on him, during his browsing.
This is not a default feature of metadata, but this kind of information can easily be added by a malware, and then you are fucked.
It contains John's location, street address, date of creation, email address, and as a bonus, the keylogger malware also embedded his Bitcoin Private key and Bank card info in it.
John is deeply fucked now. 2500 BTC can be stolen from him now, and his bank card is endangered as well. All because he has a damn virus on his PC.
Yes and this can happen to anybody. A virus may be detected if it sends out information through the internet, but if it embeds the information inside a picture, and waits until you upload it voluntarily to Facebook or other places, then it becomes a very clever way to steal data from you.
So the point is that metadata is very dangerous, even if it doesn't have a virus that embeds confidential info inside it, the GPS location and the camera info is sometimes enough for a sophisticated burglar.
There have been cases where burglars robbed people over Facebook info, so don't make burglar's jobs easier by voluntarily handing over information in your photos.
Clean Metadata
To clean metadata I recommend MAT: https://mat.boum.org
It works on Linux/Debian, if you are using Windows, I'm sorry but you are not serious about privacy in the first place, however there are tools for Windows too:
- https://www.cnet.com/how-to/remove-metadata-from-office-files-pdfs-and-images/
- http://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/
After I have removed the metadata from my bedroom.jpg, here is the clean file, named clean file.jpg, but without the metadata. You can download it, and compare the 2. It's the same image, but without the metadata.
So as you can see, this image has absolutely no metadata in it, that can leak sensitive info out:
Even if there is a virus on your PC that gathers a lot of information about you, at least it can't leak out the information via this channel. As for your network security, that is another issue.
Sources:
https://pixabay.com
