In my previous post, I discussed the recent enhancements to Fiddler’s ImageView extension that expose metadata about image files under inspection. My initial goal in exposing metadata was to help you optimize the size of images in order to build faster websites. However, in some cases the privacy implications of such metadata can be of far greater concern.

EXIF GPSInfo

As I started exploring the metadata found in real-world images, I found a surprising number of photos contain the GPS coordinates of the camera, stored within a GPSInfo structure in the EXIF metadata within the JPEG. Most of the images with metadata were captured using Apple iPhones, along with a handful of Windows and Android phones.

Because GPS information isn’t exposed by most browsers or viewers, there’s good reason to expect that many users are unaware that their location is being broadcast along with the image. In one recent high-profile incident, for instance, several people noticed that a journalist’s interview with a high-profile individual “in hiding” included a photo taken by an iPhone. Unknown to the photographer or the subject, the EXIF data included in the published photo included the exact location where the photo was taken.

The original photo from that case can be found in an article that Sophos security wrote on the topic. If you view the photo in Fiddler v2.4.2.5 and later, the GPSInfo is extracted and displayed and the Find on Map… link appears. When clicked, the location is mapped using Bing Maps.

image

If you prefer to use Google Maps, you can simply set a preference to use that service. In the QuickExec box under Fiddler’s Web Sessions list, type:

    prefs set fiddler.inspectors.images.MapURI http://maps.google.com/?q={0}

…and hit Enter. If you ever change your mind, you can enter about:config to view and change all of Fiddler’s preferences.

Inspecting Local Photos

If you want to see whether a picture on your own computer includes EXIF data like the GPS Info, you can simply drag/drop the image from the desktop to Fiddler’s Web Sessions list. When you drop the image, Fiddler will generate a “dummy” Web Session for the local file, and you can use the ImageView inspector to examine its metadata.

Other Privacy-Impacting EXIF data

Dire as it is, the GPS location of the image isn’t the only source of privacy concern. Most high-end cameras include an EXIF structure known as a MakerNote which includes a great deal of metadata about the camera, including, in some cases, a unique serial number and the owner’s name. Because the formatting of data within a MakerNote is not standardized, Fiddler does not parse it and simply indicates its presence and size:

image

 

Stripping and Lying

Most image optimization tools can easily strip out all EXIF metadata to optimize the size of an image. Other tools enable the user to alter the content of the EXIF structures, so you could take a photo in one place but alter the metadata to make it appear as if it were taken elsewhere.

 


About the Author

Eric Lawrence

(@ericlaw) has built websites and web client software since the mid-1990s. After over a decade of working on the web for Microsoft, Eric joined Telerik in October 2012 to enhance the Fiddler Web Debugger on a full-time basis. With his recent move to Austin, Texas, Eric has now lived in the American South, North, West, and East.

Related Posts

Comments