Testing photo metadata leaks on Ghost

Erich

Erich

3 min read
Testing photo metadata leaks on Ghost
Photo by GeoJango Maps / Unsplash

I stated this blog mostly as a repository of the things I learn in cybersecurity but also to document my adventures outdoors, you can learn more about why I started this site here. As a security-minded person, if I were to post a photo of a secret location I intend to camp at, you could steal my spots, and I'd miss an opportunity to charge you for those spots through a subscription-based model. Look, overlanding and servers are expensive, so yes, someday I do intend to offer a paid tier to get access to all my data. Until then, I gotta cover my tracks... this article documents my experiment to determine if Ghost will publicly post my metadata from uploaded photos.

What is metadata?

Here's a quick story explaining metadata - in case you weren't sure...

Once upon a time, I told a professional photographer that she could find another photographer's secret shooting spots by reviewing the metadata in photos. The photographer was ecstatic, blown away, and scared. The end.
Metadata is data about data, or data embedded in other data. Some tech bros will try to correct you with that definition, ignore them - it doesn't matter.

You also might hear the term EXIF data (Exchangeable Image File Format). There are nuances in definitions, but EXIF data is just a type of metadata, it's all just data.

For photos, metadata is hidden information embedded in the photo file itself, e.g., the timestamp, the camera model used to take the photo, and yes, even the location of where you took the picture, along with the direction you were facing when you took it. If you're reading this you're probably already aware of the creepiness of metadata in photographs but if this is the first time you've heard it, I'm sure that's a bit surprising.

The experiment

I use Ghost to host my site, because it's easy, and I like their stance on privacy.

Instagram will retain metadata, including location data for a period of time. You cannot obtain the metadata of a photo posted on Instagram as a regular Internet user; however, Instagram does retain it for period of time, and a court order could disclose that information.

Prior to posting this article, I didn't know if the photos I upload to Ghost, via this blog, will store the metadata on my public posts - and that's a gamble, because I don't want you to find all my secret spots when I'm camping.

Here's an unedited, and original photo from a recent trip:

Unedited, and original photo taken with my camera.
Unedited and original image taken on a Nikon camera.

Before publishing this post, I confirmed the metadata was present in the photo by using XnView MP.

Results

After publishing the post, I'm happy to say that Ghost does do some type of scraping to remove most metadata, nice! You can validate the data yourself by saving my image, and opening it in a metadata viewer.

The takeaway

Photo metadata can reveal a lot about you without your knowledge. Most major social media platforms remove metadata before your posts are public, but they will likely retain it in their databases. Also, newer platforms or devices may not scrub this data by default.

You can protect yourself by scraping the data manually before sharing photos, auditing your location permissions and settings in your camera devices, and reviewing the privacy policies of social media platforms for metadata retention periods. This post isn't meant to be a full guide for all this stuff, it's just a quick experiment I ran when I was standing up this site and working through my own location data paranoia.

Read more