A picture that steals your data — A tale to IP Theft.

Repost from Medium Blog

A day ago my friend Pratik Dabhi shares his write up about “How he can steal data using a picture”.

His writeup Link here. He mentions on his write up that

This vulnerability can be found in the places where you have an option to upload photos using tags or URLs for example forums, discussion pages.

So, I thought to make it more impactful because sometimes Bug Bounty program is marked out of scope discussion page, forums, etc.

One thing that pops up in my mind that I can create an SVG image that can load an external image into an SVG image using <image>.

So, Yeah then I sit with my lappy and created an SVG image. From the bellow link, you can find the code.

<svg width="200" height="200"
  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">  
  <!-- Use your IPLogger link -->
  <image href="https://iplogger.org/1xpUi7.png" height="200" width="200"/>
</svg>

Github Link: Steal-Using-Image.svg

You know how to use it, Use your smart brain and have fun 🙌

Thanks for reading.