Pixel That Steals Data – I’m Invisible
Summary :
A vulnerability using which an attacker can obtain the information of all the users without their knowledge. He can steal his IP address, ISP, country name, city name, region, Device info, browser details.
This vulnerability can be found on the places where you have an option of uploading an image using URL eg. forums, discussion pages, comments sections, messages, fetching image using <img src=”URL”> tag etc.
How to find this vulnerability ?
- Go to https://iplogger.org/invisible/ and generate an invisible image
2. After that a link will be generated, copy it and click on Logged IP’s
3. Now upload the image : 2 ways
i) Fetch image using web
ii) Fetch image using <img src=”URL”> tag
4. Now post it and wait for some time, as soon as people will start looking your topic you’ll get the IP addresses, country name, city name, region, Device info, browser details.
Mitigation : Proxy all the objects from third-party resources and create a CSP. Although this is only one way of mitigation, their could be many.
Thank You 🙂