Security Weekly

Metadata Surprise!

I’ve been poking at some metadata for information gathering lately for a project or two. One of the document types that I’ve been focuses on has been JPEG images. Why, you ask? Take a look at this web page. See all those pretty pictures. JPGS. Same with just about every other website on the planet.
Look like we have plenty of fodder for our metadata cannon.
So, I began analyzing metadata on JPGS form random websites that struck my fancy. In a few cases, I came across some good information; the type of software used to produce the image (great selecting a particular exploit), the author (great for selecting a target), dates of authorship (good for determining validity of attack and target) and finally some camera types (good for determining some basic financial commitment, and who’s memory cards to steal on a physical assessment). Mostly, I came across a whole bunch of sanitized data. Clearly I needed a better set of JPGS to play with.
Then, 18 gigs of Myspace JPG images fell into my lap.
I figured that I’d be in metadata heaven. I also figured that I might be able to put an author name behind the image of the two dogs humping, or better, the hottie showing off her naughty bits.
I was mistaken.
I ran exiftool on about 10,000 images (with some fits and starts; exiftool is a perl app, and providing it too many images at once caused it to barf), all with the same result. Every image appears to have had the metadata stripped so that only the metadata needed to correctly render the image is left. No author. No creation tool. No dates. No camera info.
Apparently, Myspace sanitizes all of the metadata when you upload your pics.
Good Myspace.
Of course, I had to test, especially since the 18 Gigs of images could have been played with to protect the innocent, given that they originally came from some acquisition techniques that could be described as ethically questionable (they were not acquired by me in that fashion). Here’s how I tested:
First, I needed an image that I knew had good juicy metadata. How about the one from the news story about the hacker 0x80 that Slashdot folks used to track down some pretty scary info on the anonymous 0x80 using the intact metadata:


Yes, this image has the metadata intact.
Here’s the output from exiftool -t -s filename.jpg showing all of the metadata:

======== 0x80_cracker_with_laptop.jpg
ExifToolVersion	7.23
FileName	0x80_cracker_with_laptop.jpg
Directory	.
FileSize	44 kB
FileModifyDate	2007:12:14 16:05:51
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ProfileCMMType	Lino
ProfileVersion	2.1.0
ProfileClass	Display Device Profile
ColorSpaceData	RGB
ProfileConnectionSpace	XYZ
ProfileDateTime	1998:02:09 06:49:00
ProfileFileSignature	acsp
PrimaryPlatform	Microsoft Corporation
CMMFlags	Not Embedded, Independent
DeviceManufacturer	IEC
DeviceModel	sRGB
DeviceAttributes	Reflective, Glossy, Positive, Color
RenderingIntent	Perceptual
ConnectionSpaceIlluminant	0.9642 1 0.82491
ProfileCreator	HP
ProfileID	0
ProfileCopyright	Copyright (c) 1998 Hewlett-Packard Company
ProfileDescription	sRGB IEC61966-2.1
MediaWhitePoint	0.95045 1 1.08905
MediaBlackPoint	0 0 0
RedMatrixColumn	0.43607 0.22249 0.01392
GreenMatrixColumn	0.38515 0.71687 0.09708
BlueMatrixColumn	0.14307 0.06061 0.7141
DeviceMfgDesc	IEC
DeviceModelDesc	IEC 61966-2.1 Default RGB colour space - sRGB
ViewingCondDesc	Reference Viewing Condition in IEC61966-2.1
ViewingCondIlluminant	19.6445 20.3718 16.8089
ViewingCondSurround	3.92889 4.07439 3.36179
ViewingCondIlluminantType	D50
Luminance	76.03647 80 87.12462
MeasurementObserver	CIE 1931
MeasurementBacking	0 0 0
MeasurementGeometry	Unknown (0)
MeasurementFlare	0.999%
MeasurementIlluminant	D65
Technology	Cathode Ray Tube Display
RedTRC	(Binary data 2060 bytes, use -b option to extract)
GreenTRC	(Binary data 2060 bytes, use -b option to extract)
BlueTRC	(Binary data 2060 bytes, use -b option to extract)
ApplicationRecordVersion	2
Caption-Abstract	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Writer-Editor	SLV
By-line	Sarah L. Voisin
By-lineTitle	STAFF
ObjectName	mag/hacker
Province-State	OK
Country-PrimaryLocationName	USA
OriginalTransmissionReference	175706
TimeCreated	12:38:30-06:00
DisplayedUnitsX	inches
DisplayedUnitsY	inches
GlobalAngle	30
GlobalAltitude	30
CopyrightFlag	False
PhotoshopThumbnail	(Binary data 3276 bytes, use -b option to extract)
PhotoshopQuality	12
PhotoshopFormat	Standard
ProgressiveScans	3 Scans
ExifByteOrder	Little-endian (Intel, II)
ImageDescription	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Software	Adobe Photoshop CS2 Macintosh
Artist	Sarah L. Voisin
ComponentsConfiguration	YCbCr
Flash	On
InteropIndex	R98 - DCF basic file (sRGB)
InteropVersion	0100
Compression	JPEG (old-style)
ThumbnailOffset	17196
ThumbnailLength	3276
Orientation	Horizontal (normal)
YCbCrPositioning	Co-sited
XResolution	200
YResolution	200
ResolutionUnit	inches
Make	Canon
Model	Canon EOS 20D
ModifyDate	2006:02:16 15:43:01-05:00
CreateDate	2006:02:16 15:43:01-05:00
MetadataDate	2006:02:16 15:43:01-05:00
CreatorTool	Adobe Photoshop CS2 Macintosh
ExifVersion	0221
FlashpixVersion	0100
ColorSpace	sRGB
ExifImageWidth	3504
ExifImageHeight	2336
DateTimeOriginal	2005:12:20 12:38:30-05:00
DateTimeDigitized	2005:12:20 12:38:30-05:00
ExposureTime	1/30
FNumber	5.0
ExposureProgram	Manual
ISO	100
ShutterSpeedValue	1/30
ApertureValue	5.0
ExposureCompensation	0
MeteringMode	Multi-segment
FlashFired	True
FlashReturn	No return detection
FlashMode	On
FlashFunction	False
FlashRedEyeMode	False
FocalLength	85.0 mm
FocalPlaneXResolution	3959.32203389831
FocalPlaneYResolution	3959.32203389831
FocalPlaneResolutionUnit	inches
CustomRendered	Normal
ExposureMode	Manual
WhiteBalance	Auto
SceneCaptureType	Standard
NativeDigest	36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;3B11799D192F50186735EF6636B7FD47
DocumentID	uuid:5A82A660A09311DAB292D9FC4FB3D5EC
InstanceID	uuid:5A82A661A09311DAB292D9FC4FB3D5EC
DerivedFromInstanceID	uuid:5A82A65FA09311DAB292D9FC4FB3D5EC
DerivedFromDocumentID	uuid:5A82A65FA09311DAB292D9FC4FB3D5EC
Format	image/jpeg
Description	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Creator	Sarah L. Voisin
Title	mag/hacker
CaptionWriter	SLV
AuthorsPosition	STAFF
Credit	TWP
Source	20051220
City	Roland
State	OK
Country	USA
TransmissionReference	175706
ColorMode	3
ICCProfileName	sRGB IEC61966-2.1
DateCreated	2005:12:20
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:4:4 (1 1)
Aperture	5.0
DateTimeCreated	2005:12:20 12:38:30-06:00
ImageSize	228x153
ScaleFactor35efl	1.6
ShutterSpeed	1/30
ThumbnailImage	(Binary data 3276 bytes, use -b option to extract)
CircleOfConfusion	0.019 mm
FOV	15.1 deg
FocalLength35efl	85.0 mm (35 mm equivalent: 136.1 mm)
HyperfocalDistance	77.02 m
LightValue	9.6

Now, I upload it to my Myspace account, and then use Firefox to “Save image as…” to the resulting image:

0x08 from myspace.jpg

Yes, I have a Myspace account. It’s my dirty little information gathering secret.
Here the resulting metadata form the Myspace image, using the same exiftool command:

======== 0x08 from myspace.jpg
ExifToolVersion	7.23
FileName	0x08 from myspace.jpg
Directory	.
FileSize	6 kB
FileModifyDate	2008:04:01 13:59:33
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ResolutionUnit	inches
XResolution	100
YResolution	100
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:2:0 (2 2)
ImageSize	228x153

That’s a BIG difference. Good Myspace. Yes, I know that putting those two words together in the same sentence seems…wrong.
What about Facebook? I uploaded the same original image (with the juicy metadata) to my profile on FaceBook. Here are the results:

0x80 form facebook.jpg

…and the resulting metadata (again, same exiftool command)?

======== 0x80 form facebook.jpg
ExifToolVersion	7.23
FileName	0x80 form facebook.jpg
Directory	.
FileSize	6 kB
FileModifyDate	2008:04:04 14:25:48
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ResolutionUnit	inches
XResolution	72
YResolution	72
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:2:0 (2 2)
ImageSize	228x153

Yes. Good Facebook.
Overall, I was shocked that both Myspace and Facebook had done this. Am I off base? Is this a common thing?
I guess I have a few more “social networks” to try. Twitter, Picasa, LinkedIn, Flickr (I KNOW they keep and analyze some metadata…), and more I’m sure haven’t popped into my head yet.
Looks like I’m still in need of finding a good repository of metadata. Flickr, here I come.
– Larry “haxorthematrix” Pesce
larry /at/

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.